Authentication
Last modified by Buildbot on 2018/07/01 01:02
Documentation based on repostory git version commit 1.0.12-487-g7669680
Module Authentication
The authentication module challenges and authenticates SIP requests using two possible methods:
- if the request is received via a TLS transport and 'require-peer-certificate' is set in transport definition in [Global] section for this transport, then the From header of the request is matched with the CN claimed by the client certificate. The CN must contain sip:user@domain or alternate name with URI=sip:user@domain corresponding to the URI in the from header for the request to be accepted. Optionnaly, the property tls-client-certificate-required-subject may contain a regular expression for additional checks to execute on certificate subjects.
- if no TLS client based authentication can be performed, or is failed, then a SIP digest authentication is performed. The password verification is made by querying a database or a password file on disk.
----
Configuration options:
Name | Description | Default Value | Type |
---|---|---|---|
enabled | Indicate whether the module is activated. | false | Boolean |
filter | A request/response enters module if the boolean filter evaluates to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org') && (user-agent == 'Linphone v2') | BooleanExpr | |
auth-domains | List of whitespace separated domain names to challenge. Others are denied. | localhost | StringList |
trusted-hosts | List of whitespace separated IP which will not be challenged. | StringList | |
db-implementation | Database backend implementation for digest authentication [odbc,soci,file]. | file | String |
datasource | Odbc connection string to use for connecting to database. ex1: DSN=myodbc3; where 'myodbc3' is the datasource name. ex2: DRIVER={MySQL};SERVER=host;DATABASE=db;USER=user;PASSWORD=pass;OPTION=3; for a DSN-less connection. ex3: /etc/flexisip/passwd; for a file containing user credentials in clear-text, md5 or sha256. The file must start with 'version:1' as the first line, and then contains lines in the form of: user@domain clrtxt:clear-text-password md5:md5-password sha256:sha256-password ; For example: bellesip@sip.linphone.org clrtxt:secret ; bellesip@sip.linphone.org md5:97ffb1c6af18e5687bf26cdf35e45d30 ; bellesip@sip.linphone.org clrtxt:secret md5:97ffb1c6af18e5687bf26cdf35e45d30 sha256:d7580069de562f5c7fd932cc986472669122da91a0f72f30ef1b20ad6e4f61a3 ; | String | |
nonce-expires | Expiration time of nonces, in seconds. | 3600 | Integer |
cache-expire | Duration of the validity of the credentials added to the cache in seconds. | 1800 | Integer |
no-403 | Don't reply 403, but 401 or 407 even in case of wrong authentication. | false | BooleanExpr |
reject-wrong-client-certificates | If set to true, the module will simply reject with 403 forbidden any request coming from client who presented a bad TLS certificate (regardless of reason: improper signature, unmatched subjects). Otherwise, the module will fallback to a digest authentication. This policy applies only for transports configured with 'required-peer-certificate=1' parameter; indeed no certificate is requested to the client otherwise. | false | Boolean |
tls-client-certificate-required-subject | An optional regular expression matched against subjects of presented client certificates. If this regular expression evaluates to false, the request is rejected. The matched subjects are, in order: subjectAltNames.DNS, subjectAltNames.URI, subjectAltNames.IP and CN. | String | |
new-auth-on-407 | When receiving a proxy authenticate challenge, generate a new challenge for this proxy. | false | Boolean |
enable-test-accounts-creation | Enable a feature useful for automatic tests, allowing a client to create a temporary account in the password database in memory.This MUST not be used for production as it is a real security hole. | false | Boolean |
disable-qop-auth | Disable the QOP authentication method. Default is to use it, use this flag to disable it if needed. | false | Boolean |
available-algorithms | List of algorithms, separated by whitespaces (valid values are MD5 and SHA-256). This feature allows to force the use of wanted algorithm(s). If the value is empty, then it will authorize all implemented algorithms. | MD5 | StringList |
trust-domain-certificates | If enabled, all requests which have their request URI containing a trusted domain will be accepted. | false | Boolean |