[SR-Users] Authentication: Is it possible to ignore realm? How to avoice unnecessary challenge because of changed realm?

Henning Westerholt hw at gilawa.com
Tue Nov 1 11:43:02 CET 2022 

Hello,

what about just using the approach in the documentation and example cfg, take the from domain as realm for the challenge?

Cheers,

Henning

-- 
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com

-----Original Message-----
From: sr-users <sr-users-bounces at lists.kamailio.org> On Behalf Of Benoit Panizzon
Sent: Tuesday, November 1, 2022 10:00 AM
To: sr-users at lists.kamailio.org
Subject: [SR-Users] Authentication: Is it possible to ignore realm? How to avoice unnecessary challenge because of changed realm?

Hi

As mentioned in the last email, we have a CPE which adds credentials to any request so I would like to validate them.

We use $rd as realm. Let's use example.com as example.

During the initial INVITE, this works as expected.

I try to only show the headers I think are relevant to the issue I face.

INVITE sip:1234 at example.com SIP/2.0
Proxy-Authorization: [...] realm="example.com"
Contact: <sip:9876 at 192.168.1.1:5060>

Authentication user in realm "example.com" == $rd is validated and accepted.

The connection is establised:

200 OK
From: <sip:9876 at example.com>;tag=1
To: <sip:1234 at example.com>;tag=2
Contact:  <sip:1234 at 192.168.7.7:5060>

The caller terminates the connection:

BYE: sip:1234 at 192.168.7.7:5060 SIP/2.0
From: <sip:9876 at example.com>;tag=1
To: <sip:1234 at example.com>;tag=2
Proxy-Authorization: [...] realm="example.com"

Performing:
$var(authres) = pv_auth_check("$rd", "$avp(authsecret)", "0", "1");

fails wirh result -5 as there is no authsecret for realm "192.168.7.7"

So an unnecessarey challenge is issued:

SIP/2.0 407 Proxy Authentication Required
To:  <sip:1234 at example.com>
From: <sip:9876 at example.com>
CSeq:  3 BYE
Proxy-Authenticate: Digest realm="192.168.7.7"

To which the client replies with the changed realm:

Proxy-Authorization:  Digest username="****",realm="157.161.7.7",[...]

and succeeds authentication.

Is there a way to accept 'any' realm? Or to avoid this unnecessary change of realm just because the remote site submitted a domain realm in the contact header?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G    -    Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web  http://www.imp.ch
______________________________________________________

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions sr-users at lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

More information about the sr-users mailing list