[SR-Users] Auth for SUBSCRIBE and others
Kevin Olbrich
ko at sv01.de
Wed Mar 20 15:45:01 CET 2019
Hi again!
Any hints? Has someone tested these modules with Kamailio 5.2?
Thank you
Kevin
Am Di., 19. März 2019 um 16:40 Uhr schrieb Kevin Olbrich <ko at sv01.de>:
>
> Hi Henning,
>
> thank you! I will check that again.
>
> In the mean time, I tried to get this running:
> http://kb.asipto.com/kamailio:presence:k43-blf
>
> In my setup, the local node is also the presence server (... or should be).
> BLF is working perfectly fine if I disable AUTH (PUBLISH to local ->
> NOTIFY to phones).
>
> If I enable AUTH, I can see "PUBLISH" sent to the node itself, getting
> denied by a 407 "Proxy Authentication Required".
>
> Do I realy need a SIP message flowing to myself to "PUBLISH" the
> change detected by dlg_manage() + presence_dialoginfo +
> pua_dialoginfo?
> The behavior seems to be correct for external presence management
> where I do IP based auth.
> For my understanding, Kamailio could handle that internal without
> building a SIP message(?).
>
> This is what I set up as params (pbx.example.com -> DOMAIN,
> 123.123.123.123 Public IP of node):
> =======================>%=======================
> #!ifdef WITH_PRESENCE
> # ----- presence params -----
> modparam("presence", "db_url", DBURL)
> modparam("presence", "server_address","sip:123.123.123.123:5060")
> modparam("presence", "send_fast_notify", 0)
> modparam("presence", "db_update_period", 20)
> modparam("presence", "subs_db_mode", 2)
> modparam("presence", "fetch_rows", 1000)
>
> # ----- presence_xml params -----
> modparam("presence_xml", "db_url", DBURL)
> modparam("presence_xml", "force_active", 1)
>
> # ----- presence_dialoginfo params -----
> modparam("presence_dialoginfo", "force_single_dialog", 0)
>
> # -- dialog params --
> modparam("dialog", "db_url", DBURL)
> modparam("dialog", "db_mode", 1)
> modparam("dialog", "dlg_match_mode", 1)
> modparam("dialog", "enable_stats", 1)
> modparam("dialog", "dlg_flag", FLT_DLG)
>
> # -- pua parameters --
> modparam("pua", "db_url", DBURL)
> modparam("pua", "db_mode", 2)
> modparam("pua", "update_period", 60)
> modparam("pua", "dlginfo_increase_version", 0)
> modparam("pua", "reginfo_increase_version", 0)
> modparam("pua", "check_remote_contact", 1)
> modparam("pua", "fetch_rows", 1000)
>
> # ----- pua_dialoginfo params -----
> modparam("pua_dialoginfo", "include_callid", 1)
> modparam("pua_dialoginfo", "send_publish_flag", FLT_DLGINFO)
> modparam("pua_dialoginfo", "caller_confirmed", 0)
> modparam("pua_dialoginfo", "include_tags", 1)
> modparam("pua_dialoginfo", "override_lifetime", 124)
>
> # CUSTOM
> modparam("pua_usrloc", "default_domain", "pbx.example.com")
> modparam("pua_reginfo", "server_address", "sip:123.123.123.123:5060")
> modparam("pua_reginfo", "default_domain", "pbx.example.com")
> #!endif
> =======================>%=======================
>
> Kind regards
> Kevin
>
> Am Mo., 18. März 2019 um 22:55 Uhr schrieb Henning Westerholt <hw at kamailio.org>:
> >
> > Am Montag, 18. März 2019, 19:42:30 CET schrieb Kevin Olbrich:
> > > I rolled back the change and Kamailio still sends the challenge. Seems
> > > I took the wrong transaction during debug...
> > >
> > > Am Mo., 18. März 2019 um 19:16 Uhr schrieb Kevin Olbrich <ko at sv01.de>:
> > > > Hi!
> > > >
> > > > I am implementing forwarding of SUBSCRIBE (BLF) to an Asterisk behind
> > > > Kamailio. This works but Kamailio is not requesting for Auth.
> > > >
> > > > I then added SUBSCRIBE to:
> > > > https://github.com/kamailio/kamailio/blob/master/etc/kamailio.cfg#L746
> > > >
> > > > And it now challenges the client correctly.
> > > >
> > > > Why does this line only show REGISTER?
> > > > Shouldn't it request a challenge for all messages?
> > > > And why does it work with INVITES ootb?
> >
> > Hi Kevin,
> >
> > have a look to e.g. this page:
> >
> > https://andrewjprokop.wordpress.com/2015/01/27/understanding-sip-authentication/
> >
> > "That means that messages like INVITE and BYE will receive 407 responses and
> > REGISTER and SUBSCRIBE will receive 401 responses."
> >
> > For this reasons they are two *challenge functions in the auth module
> > available.
> >
> > Cheers,
> >
> > Henning
> >
> >
> > --
> > Henning Westerholt - https://skalatan.de/blog/
> > Kamailio services - https://skalatan.de/services
> > Kamailio security assessment - https://skalatan.de/de/assessment
More information about the sr-users
mailing list