[SR-Users] Kamailio/Asterisk combination + hashed passwords?
Daniel Pocock
daniel at pocock.com.au
Fri Jun 7 11:33:45 CEST 2013
On 06/06/13 16:35, Daniel-Constantin Mierla wrote:
> Hello,
>
> On 6/6/13 11:05 AM, Daniel Pocock wrote:
>> I was just looking over:
>>
>> http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
>>
>>
>> A couple of things I noticed:
>>
>> - Kamailio is using a column sippasswd which is not hashed. Asterisk
>> doesn't use that column at all. Is there any reason this can't be done
>> with the H(A1) and H(A1b) columns? The INSERT example shows a
>> non-encrypted password.
>
> you can store hashed value there. In Kamailio is just a matter of
> config parameter/function parameter to say the loaded value is either
> plain text or ha1.
Great - are there any interoperability issues with the realm name when
using hashes? I presume that as long as the same challenge realm name
is configured in Asterisk and Kamailio and when making the hashes it is
all OK?
I also posted a query on the asterisk-users list about support for ha1b
- would you know if that is something that still comes up in practice?
It is in the Kamailio schema, but I have not encountered a device
behaving that way in practice.
>
>>
>> - Is it all considered valid for Kamailio 4 and Asterisk 11? (maybe a
>> disclaimer could be added at the top)
>
> There is another one for K4.0 and A11:
>
> -
> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
>
> Not many changes and apparently there are newer updates in asterisk
> database structure on latest RC of 11.3.x.
>
Great - Google searches for "Asterisk Kamailio" or even "Asterisk 11
Kamailio 4" still return the old page, so maybe it is still useful to
link the pages
>>
>> - The Asterisk columns `md5secret' and `secret' are left empty so that
>> Asterisk won't challenge. I believe there are other ways of doing this:
>> for example, telling Kamailio to be the registrar and forcing Asterisk
>> to use outbound proxy mode. I managed to make this work against repro -
>> Asterisk no longer receives any REGISTER messages, but all INVITEs go
>> through Asterisk, so the double-challenge problem only arises for
>> INVITEs. Maybe Asterisk can be told that Kamailio's source IP:port is
>> `trusted' and doesn't need to be challenged - is anybody aware of such
>> an option in Asterisk?
> There are various ways of doing it, this particular one tried to be at
> least intrusive as possible in asterisk, not to require changing a
> deployed asterisk configuration.
>
> For a new deployment, other approach is more recommended, using
> kamailio as outbound proxy.
As you can imagine, I've played with a few variations of this against repro
I've noticed that it isn't so straightforward, here are some issues
(Asterisk faults, not proxy issues):
- Asterisk doesn't automatically use it's bind IP:port for outgoing
connections to the proxy - so proxy ACLs are tricky to set up if the
Asterisk host has multiple IPs
- if Asterisk tries to connect to a TLS proxy, and the proxy has
optional client cert verification enabled, Asterisk tries to send it's
cert. There seems to be no way to disable Asterisk sending a cert in
this scenario, but the proxy doesn't like the way the client cert is
submitted and so it seems impossible to connect to such a proxy.
This was observed with Asterisk 11.4
More information about the sr-users
mailing list