Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth_check: to 2 accounts on the same Phone, same username different realm. 2nd acc fails with -2 #548

Closed
chiluap opened this issue Mar 22, 2016 · 4 comments
Closed

auth_check: to 2 accounts on the same Phone, same username different realm. 2nd acc fails with -2 #548

chiluap opened this issue Mar 22, 2016 · 4 comments

Comments

@chiluap
Copy link

chiluap commented Mar 22, 2016

Hi there,
we are using kamailio as Registrar and Dispatcher.
Running modparam("auth_db", "use_domain", MULTIDOMAIN) //with MULTIDOMAIN = 1
In our route[AUTH]
I call if (!auth_check("$fd", "subscriber", "1")) {
to filter unwanted Guests and and brute-force attacks to the blacklist.

strangely auth_check fails under the following conditions:
1 UserAgent(Phone) with 2 SipAccounts with the same user-name but different realm
The first account can REGISTER without a problem.
for the second Account REGISTER fails with -2.
If I disable the first one the second one Registered.

Could it be that auth_check is not multidomain-safe in one user-agent thread?

Hope to here from you...

PS: I like kamailio =).

version: kamailio 4.3.4 (x86_64/linux)
@chiluap chiluap changed the title auth_check: to 2 accounts on the same Phone, same username different realm fails with -2 auth_check: to 2 accounts on the same Phone, same username different realm. 2nd acc fails with -2 Mar 22, 2016
@chiluap
Copy link
Author

chiluap commented Mar 22, 2016

Here some logs of the auth_check.
If I switch the load-order on the Phone account 1 fails.
kamailio_auth_check_log.txt

@miconda
Copy link
Member

miconda commented Mar 23, 2016

Realm is used for domain matching in subscriber table. Also be sure that if you use ha1 for digest authentication, the realm is used to build that string. You need to have two records in this case inside the subscriber table.

This is something to continue on sr-users@lists.sip-router.org mailing list if you want to discuss more. It is not related to a bug in the code and the tracker here is not used as a discussions forum, so I am closing the item here.

@miconda miconda closed this as completed Mar 23, 2016
@chiluap
Copy link
Author

chiluap commented Mar 23, 2016

Hello again,

Sorry to bother again.
I am using it exactly as you describe.
please let me elaborate:
I have one Hardware-Phone with 2 SipAccounts: 34@domain1, 34@domain2.
Both have a row in the subscribers table (ha1 calculated with: MD5(34:domain:password)).
If I try to register the second account the register fails.
If I move the Account to a different Hardware-Phone It registers.
Also If I disable the first Account the secound registers.
If I swap them the second one to register fails -> ha1 is correct.

Therefore there must be an issue in the code with threading authentication of SipAccounts with the same username but different domains from one ip-address and port.

@chiluap
Copy link
Author

chiluap commented Mar 23, 2016

After further testing this seems to be a problem of the phones firmware.
I tried it with a snom320 and it works fine.
Thank you...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@miconda @chiluap