[OpenSIPS-Users] learning the realm from authentication challenges
johan
johan at democon.be
Fri Sep 25 14:24:38 EST 2020
how funny. I think that BW runs internally opensips :-)
Bogdan surely knows.
On 25/09/2020 16:13, Jeff Pyle wrote:
> Johan,
> I will definitely try that. Thank you!
>
> Ben,
> The problem is I have multiple destinations with the same realm. In
> my case, several different Broadworks app servers. I haven't checked
> them exhaustively but I think they all reply with realm="BroadWorks"
> in their authentication headers. I've got some Asterisk boxes in
> here, and I think they're all the domain of the SIP request URI in the
> case of an INVITE. I think I'll have to choose ahead of time which
> credentials go with which route, no? Unless I'm still not wrapping my
> head around how this is supposed to work.
>
>
> - Jeff
>
>
>
>
> On Fri, Sep 25, 2020 at 9:22 AM Ben Newlin <Ben.Newlin at genesys.com
> <mailto:Ben.Newlin at genesys.com>> wrote:
>
> Jeff,
>
> My point was that the uac_auth() is supposed to handle the realm
> matching for you. If you simply load all of the auth data based on
> the call target as you already plan to do, uac_auth() should look
> through that data for you to find credentials with a matching
> realm. You don’t need to do that part yourself in the script.
>
> Ben Newlin
>
> *From: *Users <users-bounces at lists.opensips.org
> <mailto:users-bounces at lists.opensips.org>>
> *Date: *Thursday, September 24, 2020 at 11:14 PM
> *To: *OpenSIPS users mailling list <users at lists.opensips.org
> <mailto:users at lists.opensips.org>>
> *Subject: *Re: [OpenSIPS-Users] learning the realm from
> authentication challenges
>
> Good catch on Proxy-Authorization vs Proxy-Authenticate. I think
> I've been looking at this too long. I checked the module and
> that's exactly what it is.
>
> My hope was to load the uac_auth user/pass AVPs ahead of time from
> a DB based on where I knew I was sending the call, load the realm
> one in the failure route based on what comes back in the header,
> and then fire the uac_auth() function. It looks like I may have to
> manually extract the realm from whichever header comes in. Not
> ideal, but probably workable.
>
> - Jeff
>
> On Thu, Sep 24, 2020 at 9:58 PM Ben Newlin <Ben.Newlin at genesys.com
> <mailto:Ben.Newlin at genesys.com>> wrote:
>
> This does not appear to be documented, but I believe
> uac_auth() looks through the AVPs configured in the UAC_AUTH
> module and uses the first one whose realm matches the
> challenge realm. So in order to authenticate any challenge,
> you must load all of the possible credentials into those AVPs.
>
> Ben Newlin
>
> *From: *Users <users-bounces at lists.opensips.org
> <mailto:users-bounces at lists.opensips.org>>
> *Date: *Thursday, September 24, 2020 at 9:53 PM
> *To: *OpenSIPS users mailling list <users at lists.opensips.org
> <mailto:users at lists.opensips.org>>
> *Subject: *Re: [OpenSIPS-Users] learning the realm from
> authentication challenges
>
> According to the docs, $ar provides the realm from the
> “Authorization” or “Proxy-Authorization” headers. Not from the
> ”Proxy-Authenticate” header, which is what you have.
>
> https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6
>
> Ben Newlin
>
> *From: *Users <users-bounces at lists.opensips.org
> <mailto:users-bounces at lists.opensips.org>>
> *Date: *Thursday, September 24, 2020 at 9:31 PM
> *To: *OpenSIPS users mailling list <users at lists.opensips.org
> <mailto:users at lists.opensips.org>>
> *Subject: *[OpenSIPS-Users] learning the realm from
> authentication challenges
>
> I'm trying to recover the realm of an auth challenge to
> OpenSIPS so I can respond to it with the uac_auth() function,
> and that requires knowing the realm. The docs say that $ar
> <https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6>
> should provide that, perhaps written like $(<reply>ar) to get
> it in the right context. I'm having some trouble getting the
> data.
>
> failure_route[relay_failure] {
> ...
>
> if (t_check_status("407")) {
> xlog("L_NOTICE", "[1] Proxy-Authenticate:
> $(<reply>hdr(Proxy-Authenticate))\n");
> xlog("L_NOTICE", "[2] Auth Realm:
> $(<reply>ar)\n");
>
> xlog("L_NOTICE", "[3] Auth Realm: $ar\n");
> }
>
> ...
>
> }
>
> The logs show:
>
> /usr/sbin/opensips[33044]: [1] Proxy-Authenticate: Digest
> realm="asterisk",
> nonce="5f6d42140000936ad820dbcd452e6bcd145777e458dd46dd",
> qop="auth"
> /usr/sbin/opensips[33044]: [2] Auth Realm reply: <null>
> /usr/sbin/opensips[33044]: [3] Auth Realm: <null>
>
> Is it possible to get the realm? Is it possible to build a
> response with uac_auth() for an arbitrary authentication
> challenge?
>
> This is on 3.1.0~20200923~88f89e941.
>
> - Jeff
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200925/11df6da8/attachment-0001.html>
More information about the Users
mailing list