Hi list!
I just came across something very strange when using the radius-modules and wonder if it is a wanted feature, a bug or simply me being stupid (which I guess will be the case).
The thing is the following. My ser.cfg has the following in it when an UA registers:
if (method=="REGISTER") {
if (!radius_proxy_authorize("XXX.XXX.XXX.XXX")) { proxy_challenge("XXX.XXX.XXX.XXX", "0"); break; }; log(1,"Registered"); save("location"); break; };
This works fine, means the user get's registered, if it is known to Radius and not registered in the opposite case.
Now to the strange thing. In most UAs you can enter different user-parts of the URI and Authentication-Users. I used kphone for this test and entered a valid username as authentication username and some random number (or word, that doesn't matter) as "User part of SIP URL". What happens then is, that the user can register and gets a URI different from the authenticated username. With this behavior every user would be able to "hijack" connections from other user.
How can I tell SER to not allow this? Has it something to do with the SIP-Rpid argument in Radius? Ser seems to ignore it.
Any hints, or RTFMs to get me looking in the right direction to solve this problem would be very kind.
Best regards Kai
On Jul 08, 2004 at 13:20, Kai Militzer km@westend.com wrote:
Hi list!
I just came across something very strange when using the radius-modules and wonder if it is a wanted feature, a bug or simply me being stupid (which I guess will be the case).
The thing is the following. My ser.cfg has the following in it when an UA registers:
if (method=="REGISTER") {
if (!radius_proxy_authorize("XXX.XXX.XXX.XXX")){ proxy_challenge("XXX.XXX.XXX.XXX", "0"); break; }; log(1,"Registered"); save("location"); break; };
This works fine, means the user get's registered, if it is known to Radius and not registered in the opposite case.
Now to the strange thing. In most UAs you can enter different user-parts of the URI and Authentication-Users. I used kphone for this test and entered a valid username as authentication username and some random number (or word, that doesn't matter) as "User part of SIP URL". What happens then is, that the user can register and gets a URI different from the authenticated username. With this behavior every user would be able to "hijack" connections from other user.
How can I tell SER to not allow this? Has it something to do with the SIP-Rpid argument in Radius? Ser seems to ignore it.
Use check_to from the uri module. Before save(...) add something like: if (!check_to()){ /* error reply here */ break; }
Andrei
-
Andrei Pelinescu-Onciul -
Kai Militzer