[sr-dev] git:master: auth Update documentation for the "secret" parameter

Module: sip-router Branch: master Commit: eace40eb04ff038fce0f81dc1c08864e1e966e98 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=eace40e… Author: Olle E. Johansson &lt;oej(a)edvina.net&gt; Committer: Olle E. Johansson &lt;oej(a)edvina.net&gt; Date: Mon Nov 19 15:44:54 2012 +0100 auth Update documentation for the "secret" parameter Thanks to Carsten Bock for finding this in the 1.5 documentation. --- modules/auth/README | 18 ++++++++++++++---- modules/auth/doc/params.xml | 10 ++++++++++ 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/modules/auth/README b/modules/auth/README index 607eae1..fa90d51 100644 --- a/modules/auth/README +++ b/modules/auth/README @@ -15,7 +15,7 @@ Daniel-Constantin Mierla asipto.com &lt;miconda(a)gmail.com&gt; - Copyright © 2002, 2003 FhG FOKUS + Copyright � 2002, 2003 FhG FOKUS __________________________________________________________________ 1.1. Overview @@ -443,6 +443,16 @@ modparam("auth", "otn_in_flight_order", 23) # 8 Mb (1Mb memory) 1.3.10. secret (string) + Secret phrase used to calculate the nonce value. The default is to use + a random value generated from the random source in the core. + + If you use multiple servers in your installation, and would like to + authenticate on the second server against the nonce generated at the + first one its necessary to explicitly set the secret to the same value + on all servers. However, the use of a shared (and fixed) secret as + nonce is insecure, much better is to stay with the default. Any clients + should send the reply to the server that issued the request. + Default value is randomly generated string. Example 10. Setting secret module parameter @@ -507,7 +517,7 @@ modparam("auth", "force_stateless_reply", 1) records (not all SIP clients support SRV lookup), a subdomain of the master domain can be defined for SIP purposes (like sip.mydomain.net pointing to same IP address as the SRV record for mydomain.net). By - ignoring the realm_prefix “sip.”, at authentication, sip.mydomain.net + ignoring the realm_prefix "sip.", at authentication, sip.mydomain.net will be equivalent to mydomain.net . Default value is empty string. @@ -571,7 +581,7 @@ if (has_credentials("myrealm")) { * realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. Usually this is domain of the host the server is running on. - It must not be empty string “”. In case of REGISTER requests To + It must not be empty string "". In case of REGISTER requests To header field domain (e.g., variable $td) can be used (because this header field represents the user being registered), for all other messages From header field domain can be used (e.g., variable $fd). @@ -658,7 +668,7 @@ if (!auth_check("$fd", "subscriber", "1")) { * realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. Usually this is domain of the host the server is running on. - It must not be empty string “”. In case of REGISTER requests To + It must not be empty string "". In case of REGISTER requests To header field domain (e.g., varibale $td) can be used (because this header field represents a user being registered), for all other messages From header field domain can be used (e.g., varibale $fd). diff --git a/modules/auth/doc/params.xml b/modules/auth/doc/params.xml index ab95963..2fd35ba 100644 --- a/modules/auth/doc/params.xml +++ b/modules/auth/doc/params.xml @@ -548,6 +548,16 @@ modparam("auth", "otn_in_flight_order", 23) # 8 Mb (1Mb memory) <section id="auth.secret"> <title><varname>secret</varname> (string)</title> + <para>Secret phrase used to calculate the nonce value. + The default is to use a random value generated from the random source + in the core.</para> + <para>If you use multiple servers in your installation, and would like to + authenticate on the second server against the nonce generated at the + first one its necessary to explicitly set the secret to the same value + on all servers. However, the use of a shared (and fixed) secret as + nonce is insecure, much better is to stay with the default. Any + clients should send the reply to the server that issued the request. + </para> <para> Default value is randomly generated string. </para>