Hello,
actually nothing changed to the old functions. A new one was added to auth_db module, auth_check() that combines the www/proxy_auth* functions, and another one to auth module, auth_challenge() that combines internally www/proxy_challenge(). For now, auth_check() can do in addition a check of auth username against to/from header username.
So, nothing has changed to the old functions, backward compatibility is fully ensured, and I have no plan to touch them.
One of the purposes of the new function is to reduce the size of default config, by offering the behavior of common use case. The user check is done based on a parameter flag anyhow.
The next plan with this function is to bind to htable module (a matter of a module parameter) to count failed authentications per user and give the option to write a log message to alert and temporary disable authentication for users failing to authenticate several times in a row -- in other words, a way to protect against dictionary attacks. This can be achieved with config file scripting, but for new comers might not be that obvious how to do it, and in context of many such scanning attacks that happen lately, I found it interesting to just make an out of the box function for it.
Cheers, Daniel
On 11/15/11 3:15 AM, Juha Heinanen wrote:
Alex Balashov writes:
The problem, as you well know, is that not having the check allows a user A to impersonate the identity of any other user B, as long as user A has his own valid credentials for himself.
yes, i well know it and therefore one needs to check if the user really owns the uri or not. to make an automatic invalid check is in my opinion a very bad idea, since according to rfc3261 uri userpart does not have anything to do with user's authentication username.
-- juha
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev