[Users] User Registration Security on Openser

Bogdan-Andrei Iancu bogdan at voice-system.ro
Thu Jan 18 11:26:51 CET 2007


Hi Howard,

also take note that registration and making calls are tw different 
things. First of all, registration is not required for placing calls - 
unregistered user may dial. Also even if you authenticate the 
registrations, you should also authenticate the calls originated by your 
users.

regards,
bogdan

Howard Tang wrote:

> Hi Christian,
>
> Thank you for point that out. I found that the person is one of my
> users, but he put username in x-lite different from the auth username.
> That is why i see a different number. and your solution fixed the
> issue!
>
> Thanks a lot.
>
> Regards,
> Howard
>
> On 1/18/07, Christian Schlatter <cs at unc.edu> wrote:
>
>> Howard Tang wrote:
>> > Hi,
>> >
>> > I realized some one is able to make call and registered to my sip
>> > proxy while he/she is not in the subscriber table.
>> >
>> > I couldn't find his/her username in the subscriber table, but i was
>> > able to see him/her in the location table. I am able to see he/she
>> > made 10 calls from my sip proxy.
>> >
>> > Anyone have an idea on what i have done wrong? I have included the
>> > authentication part of code here.
>>
>> Your config looks ok to me but it will allow someone with a valid digest
>> username/password combination to register *any* AOR SIP URI. One method
>> to avoid that is to use check_to() from the uri_db module.
>>
>> Similarly you can use check_from() to make sure that endpoints use a SIP
>>  From header that exists in the subscriber table.
>>
>> SIP digest credentials are independent from the used SIP URIs allowing
>> e.g. third party registration. That means I could add a registration for
>> your AOR SIP URI. But obviously this also introduces a risk for misuse.
>>
>> I've added check_to() and check_from() to your config.
>>
>> - Christian
>>
>> # -- uri_db params --
>> modparam("uri_db", "db_url",
>> "mysql://M4_DB_RWUSER:M4_DB_RWPWD@localhost/M4_DB_NAME")
>> modparam("uri_db", "subscriber_table", "subscriber")
>> modparam("uri_db", "use_uri_table", 0) # use subscriber table
>> modparam("uri_db", "use_domain", 0) # only check username (no multi
>>                                      # domain support)
>>
>>
>> >
>> >     if (uri==myself) {
>> >                if (method=="REGISTER") {
>> >                        # Uncomment this if you want to use digest
>> > authentication
>> >                        if (!www_authorize("x.x.x.x", "subscriber")) {
>> >                                www_challenge("x.x.x.x", "0");
>> >                                exit;
>> >                        };
>>
>>                           if (!check_to()) {
>>                                   sl_send_reply("401", "Unauthorized");
>>                                   exit;
>>                           }
>>
>>
>> >                        consume_credentials();
>> >                        save("location");
>> >                        exit;
>> >                };
>> >
>> >                if (method=="INVITE") {
>> >                        if (!proxy_authorize("","subscriber")) {
>> >                                proxy_challenge("x.x.x.x","0");
>> >                                exit;
>> >                        }
>>
>>                           if (!check_from()) {
>>                                   sl_send_reply("403", "Use From=ID");
>>                                   exit;
>>                           }
>>
>> >                        consume_credentials();
>> >                };
>> >
>> >                lookup("aliases");
>> >                if (!uri==myself) {
>> >                        append_hf("P-hint: outbound alias\r\n");
>> >                        route(1);
>> >                };
>> >
>> >
>>
>>
>
>





More information about the Users mailing list