Sorry for intruding, but this is puzzling me a lot.
I followed the guide to make Kamailio work with asterisk and realtime, Kamailio version 4 and asterisk 11.
(
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb)
up until now its working, and now want to get the phones
(CISCO SPA504G, former linksys) to get the SIP notify command and reload
to get their new config, from the asterisk cli
the cli command is "sip notify spa-reboot <username>"The problem is that, using the
setup in the guide, the phones registers with kamailio, kamalio then
strip the password and register with no password to the asterisk, as
supposed to be.
by that, when asterisk sends the SIP Notify with the reboot commands, it arrives to the kamailio, and is forwarded to phone, and the phone answers with a '401' and a digest.
In
the flow, the kamailio (in the middle) receives the 401 and sends again
the sip message to asterisk, and asterisk uses the digest to cipher the
password and reply, but as asterisk is configured with no password, the
reply contains as 'wrong' password (the empty/blank one)
is there any way to make kamailio intercepts again that '401'
and reply with a crafted message, with the right digest, password, (the one in the ul table) and
user, so the phone can accept the order and reboots?
The
other (ugly) option, is to remove the auth from the phone, for the Sip Provisioning, but that
would leave and open door to a reboot attack without auth needed from
any IP. And I dont like that option.
As we talk, I managed to create a routing logic, but is that the right approach? :
===================
request_route {
if (is_method("NOTIFY"))
{
#xlog("NOTIFY received: $rs");
t_on_failure("MANAGE_FAILURE_401"); #try to intercep a 401
}
.....
}
failure_route[MANAGE_FAILURE_401] {
if (t_check_status("401")) {
#401 detectado dentro de un Notify,
#probablemente ha sido por una orden de reboot.
#hay que construir un paquete e intentar enviar, con el digest adecuado....
$uac_req(method)="NOTIFY";
$uac_req(ruri)="sip:";
$uac_req(furi)="sip:";
$uac_req(turi)="sip:";
$uac_req(hdrs)="Contact: <sip:"+ ">\r\n";
#Paquete construido, debe ser enviado
uac_req_send();
xlog("401 detectado");
# exit;
}
===================
Thanks in advance.....