Hi,
When any SIP request arrives at the proxy, it asserts some kind of
identity ("I am claiming to be sip:alex@sip.evaristesys.com").
In most SIP requests, this is the From URI ($fu) identity, but in
REGISTERs, it's the To URI ($tu), because according to the standard, the
AoR (Address of Record) that the registration seeks to establish a
binding for is situated in the To URI.
This identity can be trusted at face value, but usually isn't; that's
the reason for the RFC 2617-inspired digest challenge / authentication
mechanism. The proxy sends a nonce (temporary encryption key of sorts)
and expects a new request which has an additional header (e.g.
"Authorization") whose value is encrypted with that nonce. This
Authorization header has several parameters, one of which is an
"authentication username" -- exposed in the Kamailio config as $au.
The check you are asking about ensures alignment between the
authentication username and the broader "identity" username, if you
like. This is usually desirable, because otherwise, I could register
with an AoR of "sip:lenz@sip.evaristesys.com" as long as I have some
other, valid credentials on the system. In other words, I could use my
username for 'alex' in order to establish a registration of
"sip:lenz@sip.evaristesys.com". But if alignment betweeen $tU == $au is
assured, then I can only use authentication credentials for 'alex' in
order to register an identity of 'alex', and you can only use
authentication credentials for 'lenz' to bind an identity of 'lenz'.
Does that make sense?
-- Alex
On Tue, Oct 29, 2019 at 11:35:45AM -0400, PICCORO McKAY Lenz wrote:
i have this in asterisk integration how to, and i
noted the "exit"
before the "if($au!=$tU)" .. i dont understan the conditional and the
exit there!
please can someon xplain me that!?
# authenticate the REGISTER requests (uncomment to enable auth)
#!ifdef WITH_ASTERISK
if (!www_authorize("$td", "sipusers"))
#!else
if (!www_authorize("$td", "subscriber"))
#!endif
{
www_challenge("$td", "0");
exit;
}
if ($au!=$tU)
{
sl_send_reply("403","Forbidden auth ID");
exit;
}
i investigate at the kamailio cgf documentation and there's no clear
topic related!
http://www.kamailio.org/wiki/cookbooks/5.2.x/pseudovariables#tu_-_to_uri
Lenz McKAY Gerardo (PICCORO)
http://qgqlochekone.blogspot.com
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web:
http://www.evaristesys.com/,
http://www.csrpswitch.com/