Authentication

Last modified by Buildbot on 2018/07/01 01:02

 Documentation based on repostory git version commit 1.0.12-487-g7669680
 

Module Authentication

The authentication module challenges and authenticates SIP requests using two possible methods: 

  • if the request is received via a TLS transport and 'require-peer-certificate' is set in transport definition in [Global] section for this transport,  then the From header of the request is matched with the CN claimed by the client certificate. The CN must contain sip:user@domain or alternate name with URI=sip:user@domain corresponding to the URI in the from header for the request to be accepted. Optionnaly, the property tls-client-certificate-required-subject may contain a regular expression for additional checks to execute on certificate subjects.
  • if no TLS client based authentication can be performed, or is failed, then a SIP digest authentication is performed. The password verification is made by querying a database or a password file on disk.
    ----

Configuration options:

NameDescriptionDefault ValueType
enabledIndicate whether the module is activated. falseBoolean
filterA request/response enters module if the boolean filter evaluates to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org') && (user-agent == 'Linphone v2') BooleanExpr
auth-domainsList of whitespace separated domain names to challenge. Others are denied. localhostStringList
trusted-hostsList of whitespace separated IP which will not be challenged. StringList
db-implementationDatabase backend implementation for digest authentication [odbc,soci,file]. fileString
datasourceOdbc connection string to use for connecting to database. ex1: DSN=myodbc3; where 'myodbc3' is the datasource name. ex2: DRIVER={MySQL};SERVER=host;DATABASE=db;USER=user;PASSWORD=pass;OPTION=3; for a DSN-less connection. ex3: /etc/flexisip/passwd; for a file containing user credentials in clear-text, md5 or sha256. The file must start with 'version:1' as the first line, and then contains lines in the form of:
 user@domain clrtxt:clear-text-password md5:md5-password sha256:sha256-password ;
 For example:
 bellesip@sip.linphone.org clrtxt:secret ;
 bellesip@sip.linphone.org md5:97ffb1c6af18e5687bf26cdf35e45d30 ;
 bellesip@sip.linphone.org clrtxt:secret md5:97ffb1c6af18e5687bf26cdf35e45d30 sha256:d7580069de562f5c7fd932cc986472669122da91a0f72f30ef1b20ad6e4f61a3 ;		 String
nonce-expiresExpiration time of nonces, in seconds. 3600Integer
cache-expireDuration of the validity of the credentials added to the cache in seconds. 1800Integer
no-403Don't reply 403, but 401 or 407 even in case of wrong authentication. falseBooleanExpr
reject-wrong-client-certificatesIf set to true, the module will simply reject with 403 forbidden any request coming from client who presented a bad TLS certificate (regardless of reason: improper signature, unmatched subjects). Otherwise, the module will fallback to a digest authentication.
 This policy applies only for transports configured with 'required-peer-certificate=1' parameter; indeed no certificate is requested to the client otherwise.		 falseBoolean
tls-client-certificate-required-subjectAn optional regular expression matched against subjects of presented client certificates. If this regular expression evaluates to false, the request is rejected. The matched subjects are, in order: subjectAltNames.DNS, subjectAltNames.URI, subjectAltNames.IP and CN. String
new-auth-on-407When receiving a proxy authenticate challenge, generate a new challenge for this proxy. falseBoolean
enable-test-accounts-creationEnable a feature useful for automatic tests, allowing a client to create a temporary account in the password database in memory.This MUST not be used for production as it is a real security hole. falseBoolean
disable-qop-authDisable the QOP authentication method. Default is to use it, use this flag to disable it if needed. falseBoolean
available-algorithmsList of algorithms, separated by whitespaces (valid values are MD5 and SHA-256).
 This feature allows to force the use of wanted algorithm(s).
 If the value is empty, then it will authorize all implemented algorithms.		 MD5StringList
trust-domain-certificatesIf enabled, all requests which have their request URI containing a trusted domain will be accepted. falseBoolean
Created by Buildbot on 2017/01/16 10:02
   

Navigation