[SR-Users] Can't get route[AUTH] working as expected.
SamyGo
govoiper at gmail.com
Sat Mar 24 16:49:30 CET 2018
Yeah, so thats a sample script and definitely needs add-on functions to
enable what you're expecting it to do.
I believe in the past(*or maybe in opensips, Im not certain) it used to
have the function db_check_from() / check_from() to validate user in DB if
so then engage in AUTH. Check URI_DB module.
You can also use this function is_subscriber("$fU","subscriber",3)
<http://www.kamailio.org/docs/modules/5.0.x/modules/auth_db.html#idp44935044>
to
ensure authentication is engaged for everyone.
On Fri, Mar 23, 2018 at 3:54 PM, Aqs Younas <aqsyounas at gmail.com> wrote:
> Thanks Samy for replying.
>
> I wanted if Caller IP was not allowed it should be asked for digest
> authentication. But above default AUTH route only do that if from_uri is
> local. If someone set a different URI in from header he will be able to
> bypass the security check. Correct me if I am wrong somewhere.
>
> I know I can modify the route to get the expected request.
>
> But just wanted to ask if setting #!define WITH_AUTH and #!define
> WITH_IPAUTH was not enough in default configuration just to make sure
> caller is legitimate.
>
> Br. Aqs.
>
> On 23 March 2018 at 23:54, SamyGo <govoiper at gmail.com> wrote:
>
>> Hi Aqs,
>> What seems to be the problem ! do you want this caller to be IP
>> Authenticated or Digest Authenticated or denied !?
>>
>>
>> On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas <aqsyounas at gmail.com> wrote:
>>
>>> Greetings list.
>>>
>>> I can see that I was able to bypass the default route[AUTH] if I send an
>>> invite containing from_uri which is not local but requested line containing
>>> a local user.
>>>
>>> llisten=udp:172.16.40.10:5060
>>>
>>> route[AUTH] {
>>> #!ifdef WITH_AUTH
>>> #!ifdef WITH_IPAUTH
>>> if((!is_method("REGISTER")) && allow_source_address()) {
>>> # source IP allowed
>>> return;
>>> }
>>> #!endif
>>> if (is_method("REGISTER") || from_uri==myself) {
>>> # authenticate requests
>>> if (!auth_check("$fd", "subscriber", "1")) {
>>> auth_challenge("$fd", "0");
>>> exit;
>>> }
>>> # user authenticated - remove auth header
>>> if(!is_method("REGISTER|PUBLISH"))
>>> consume_credentials();
>>> }
>>> # if caller is not local subscriber, then check if it calls
>>> # a local destination, otherwise deny, not an open relay here
>>> if (from_uri!=myself && uri!=myself) {
>>> sl_send_reply("403","Not relaying");
>>> exit;
>>> }
>>> #!else
>>> # authentication not enabled - do not relay at all to foreign networks
>>> if(uri!=myself) {
>>> sl_send_reply("403","Not relaying");
>>> exit;
>>> }
>>> #!endif
>>> return;
>>> }
>>>
>>> Below INVITE get passed above auth route.
>>>
>>>
>>> INVITE sip:60129879190 at 172.16.40.10 SIP/2.0
>>> Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport
>>> Max-Forwards: 70
>>> From: <sip:0128888877 at 139.5.177.99>;tag=as2274e806
>>> To: <sip:60129879190 at 172.16.40.10>
>>> Contact: <sip:0128888877 at 139.5.177.91:5060>
>>> Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b at 139.5.177.91:5060
>>> CSeq: 102 INVITE
>>> User-Agent: FPBX-13.0.194.2(13.17.0)
>>> Date: Fri, 23 Mar 2018 09:33:01 GMT
>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
>>> INFO, PUBLISH, MESSAGE
>>> Supported: replaces, timer
>>> Content-Type: application/sdp
>>> Content-Length: 321
>>>
>>> v=0
>>> o=root 237494576 237494576 IN IP4 139.5.177.99
>>> s=Asterisk PBX 13.17.0
>>> c=IN IP4 139.5.177.99
>>> t=0 0
>>> m=audio 15332 RTP/AVP 0 18 8 101
>>> a=rtpmap:0 PCMU/8000
>>> a=rtpmap:18 G729/8000
>>> a=fmtp:18 annexb=no
>>> a=rtpmap:8 PCMA/8000
>>> a=rtpmap:101 telephone-event/8000
>>> a=fmtp:101 0-16
>>> a=ptime:20
>>> a=maxptime:150
>>> a=sendrecv
>>>
>>> From INVITE and route[AUTH] I can see why it is being passed.
>>>
>>> But should not it by default authenticate every request if IP address is
>>> not allowed in permission module.
>>>
>>> Br, Aqs.
>>>
>>> _______________________________________________
>>> Kamailio (SER) - Users Mailing List
>>> sr-users at lists.kamailio.org
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180324/45b3d6c1/attachment.html>
More information about the sr-users
mailing list