[SR-Users] Auth module with shared "secret"

Daniel Tryba d.tryba at pocos.nl
Thu May 17 15:02:13 CEST 2018

On Thu, May 17, 2018 at 11:48:48AM +0100, Asgaroth wrote:
> > This works with all auth params set to default. My guess the following
> > are the cause of problems.
> > > > modparam("auth", "nonce_count", 1)
> > > > modparam("auth", "one_time_nonce", 1)
> > 
> Daniel, *thank you*, this was exactly what was causing the issue, disabled
> the above two module parameters and, boom, it started working.
> I wonder why these particular module parameters would break the
> functionality though, I thought the idea was that each proxy would be able
> to generate the nonce with a shared secret if it recieved a challenge
> response from a ua who's nonce was generated on a different proxy. Is this a
> bug, or, is it working as intended when these two module paramters are
> enabled?

I was looking at the wording for nonce_count 
"3.5. nonce_count (boolean)

If enabled the received nc value is remembered and checked against the
older value (for a successful authentication the received nc must be
greater then the previously received one, see rfc2617 for more details).
This will provide protection against replay attacks while still allowing
credentials caching at the UA side."

It sounds like this is kept in memory. Since this isn't shared between
kamailio instances, the discrepancies in nonce count should trigger the
replay attack prevention mechanism (i.e. offer a new challenge).

So I guess this is indended behavior.

More information about the sr-users mailing list