Hi,
When any SIP request arrives at the proxy, it asserts some kind of identity ("I am claiming to be sip:alex@sip.evaristesys.com").
In most SIP requests, this is the From URI ($fu) identity, but in REGISTERs, it's the To URI ($tu), because according to the standard, the AoR (Address of Record) that the registration seeks to establish a binding for is situated in the To URI.
This identity can be trusted at face value, but usually isn't; that's the reason for the RFC 2617-inspired digest challenge / authentication mechanism. The proxy sends a nonce (temporary encryption key of sorts) and expects a new request which has an additional header (e.g. "Authorization") whose value is encrypted with that nonce. This Authorization header has several parameters, one of which is an "authentication username" -- exposed in the Kamailio config as $au.
The check you are asking about ensures alignment between the authentication username and the broader "identity" username, if you like. This is usually desirable, because otherwise, I could register with an AoR of "sip:lenz@sip.evaristesys.com" as long as I have some other, valid credentials on the system. In other words, I could use my username for 'alex' in order to establish a registration of "sip:lenz@sip.evaristesys.com". But if alignment betweeen $tU == $au is assured, then I can only use authentication credentials for 'alex' in order to register an identity of 'alex', and you can only use authentication credentials for 'lenz' to bind an identity of 'lenz'.
Does that make sense?
-- Alex
On Tue, Oct 29, 2019 at 11:35:45AM -0400, PICCORO McKAY Lenz wrote:
i have this in asterisk integration how to, and i noted the "exit" before the "if($au!=$tU)" .. i dont understan the conditional and the exit there!
please can someon xplain me that!?
# authenticate the REGISTER requests (uncomment to enable auth) #!ifdef WITH_ASTERISK if (!www_authorize("$td", "sipusers")) #!else if (!www_authorize("$td", "subscriber")) #!endif { www_challenge("$td", "0"); exit; } if ($au!=$tU) { sl_send_reply("403","Forbidden auth ID"); exit; }
i investigate at the kamailio cgf documentation and there's no clear topic related!
http://www.kamailio.org/wiki/cookbooks/5.2.x/pseudovariables#tu_-_to_uri
Lenz McKAY Gerardo (PICCORO) http://qgqlochekone.blogspot.com
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users