[Freeswitch-users] Reject SIP registrations

Kurtis Heimerl kheimerl at cs.berkeley.edu
Tue Jun 28 12:34:02 MSD 2011 

Ah, so it's as I worried.

How do I go about creating the situation that I want: users with
accounts are able to authenticate without passwords, but any attempts
to authenticate other accounts (that don't exist) are rejected?

On Tue, Jun 28, 2011 at 12:56 AM, Steven Ayre <steveayre at gmail.com> wrote:
> When you use a CIDR it matches the user entry based on IP not on username.
>
> You're able to authenticate with other usernames because they're all
> authenticating to the same user based on IP.
>
> -Steve
>
>
>
> On 28 June 2011 00:12, Kurtis Heimerl <kheimerl at cs.berkeley.edu> wrote:
>>
>> One of those links got screwed up...
>>
>> Anyhow, here are those three config files:
>>
>> internal.xml : http://bpastebin.freeswitch.org/16609
>>
>> acl.conf.xml : http://pastebin.freeswitch.org/16610
>>
>> 1300.xml : http://pastebin.freeswitch.org/16611
>>
>> If anything else could help, I'd love to share it.
>>
>> The basic story, so far as I see, is that I allow specific IPs through
>> the ACL. Somehow this is allowing ANY SIP username to register, rather
>> than just those defined (such as 1300). Any help would be appreciated.
>>
>> On Mon, Jun 27, 2011 at 4:11 PM, Kurtis Heimerl
>> <kheimerl at cs.berkeley.edu> wrote:
>> > Anyhow, here are those three config files:
>> >
>> > internal.xml : http://pastebin.freeswitch.org/16609
>> > acl.conf.xml : http://pastebin.freeswitch.org/16610
>> > 1300.xml : http://pastebin.freeswitch.org/16611
>> >
>> > If anything else could help, I'd love to share it.
>> >
>> > The basic story, so far as I see, is that I allow specific IPs through
>> > the ACL. Somehow this is allowing ANY SIP username to register, rather
>> > than just those defined (such as 1300). Any help would be appreciated.
>> >
>> > On Mon, Jun 27, 2011 at 1:30 PM, Kurtis Heimerl
>> > <kheimerl at cs.berkeley.edu> wrote:
>> >> It's enabled in the acl.conf.xml file, using CIDR.
>> >>
>> >> What conf files do you consider relevant? acl.conf.xml, internal.xml,
>> >> a profile or two, anything else?
>> >>
>> >> On Mon, Jun 27, 2011 at 1:26 PM, David Ponzone <david.ponzone at ipeva.fr>
>> >> wrote:
>> >>> The interesting question is then: why are you able to register without
>> >>> password, if this feature is not enabled on the profile...
>> >>> Perhaps you should recap your config once more, and put the relevant
>> >>> files
>> >>> on PB.
>> >>> David Ponzone  Direction Technique
>> >>> email: david.ponzone at ipeva.fr
>> >>> tel:      01 74 03 18 97
>> >>> gsm:   06 66 98 76 34
>> >>> Service Client IPeva
>> >>> tel:      0811 46 26 26
>> >>> www.ipeva.fr  -   www.ipeva-studio.com
>> >>> Ce message et toutes les pièces jointes sont confidentiels et établis
>> >>> à
>> >>> l'intention exclusive de ses destinataires. Toute utilisation ou
>> >>> diffusion
>> >>> non autorisée est interdite. Tout message électronique est susceptible
>> >>> d'altération. IPeva décline toute responsabilité au titre de ce
>> >>> message s'il
>> >>> a été altéré, déformé ou falsifié. Si vous n'êtes pas destinataire de
>> >>> ce
>> >>> message, merci de le détruire immédiatement et d'avertir l'expéditeur.
>> >>>
>> >>>
>> >>>
>> >>> Le 27/06/2011 à 20:36, Kurtis Heimerl a écrit :
>> >>>
>> >>> That would explain why removing them didn't do anything!
>> >>>
>> >>> Thanks.
>> >>>
>> >>> On Mon, Jun 27, 2011 at 6:25 AM, Steven Ayre <steveayre at gmail.com>
>> >>> wrote:
>> >>>
>> >>> Just so you know...
>> >>>
>> >>>      <param name="accept-blind-reg" value="true"/>
>> >>>
>> >>>      <param name="accept-blind-auth" value="true"/>
>> >>>
>> >>> These will have no effect in the user directory. They only apply to
>> >>> SIP
>> >>>
>> >>> profiles.
>> >>>
>> >>> -Steve
>> >>>
>> >>>
>> >>>
>> >>> On 27 June 2011 02:23, Kurtis Heimerl <kheimerl at cs.berkeley.edu>
>> >>> wrote:
>> >>>
>> >>> Hello FS Users!
>> >>>
>> >>> I'm trying to create the following setup. When a user registers, if
>> >>>
>> >>> they register on a known account (lets say X), they do not need a
>> >>>
>> >>> password. X's registration is immediately OK'd, and everything is
>> >>>
>> >>> great. I've gotten that working using the ACL. The IP address of our
>> >>>
>> >>> SIP clients are added through cidr and the clients do not need to give
>> >>>
>> >>> passwords.
>> >>>
>> >>> However, for some reason, if another account that does not exist in
>> >>>
>> >>> the directory (let's say Y) registers, FS returns with a 200 OK,
>> >>>
>> >>> instead of rejecting Y. I'm trying to figure out why this is the case,
>> >>>
>> >>> and how to remedy that fact.
>> >>>
>> >>> I have the following line in my internal.xml file, which I had assumed
>> >>>
>> >>> would force this function:
>> >>>
>> >>>   <!-- Force the user and auth-user to match. -->
>> >>>
>> >>>   <param name="inbound-reg-force-matching-username" value="true"/>
>> >>>
>> >>> However, it does not work. In my directory, each individual account as
>> >>>
>> >>> the following lines:
>> >>>
>> >>>  <user id="1303">
>> >>>
>> >>>    <params>
>> >>>
>> >>>      <param name="accept-blind-reg" value="true"/>
>> >>>
>> >>>      <param name="accept-blind-auth" value="true"/>
>> >>>
>> >>>      <param name="vm-password" value="1000"/>
>> >>>
>> >>>    </params>
>> >>>
>> >>> Though I've found that removing it (from all users in the directory)
>> >>>
>> >>> doesn't help.
>> >>>
>> >>> I'm primarily concerned with the line in internal.xml; it seems
>> >>>
>> >>> possible that the fact that we do not have an auth-user (because we do
>> >>>
>> >>> not require auth) means that this won't work. However, I have yet to
>> >>>
>> >>> test that hypothesis. The ACL has been the most confusing aspect of
>> >>>
>> >>> this installation, with a lot of undocumented aspects, and I get the
>> >>>
>> >>> nagging feeling this is another. I could very well be wrong though.
>> >>>
>> >>> Thanks for any direction.
>> >>>
>> >>> _______________________________________________
>> >>>
>> >>> Join us at ClueCon 2011, Aug 9-11, Chicago
>> >>>
>> >>> http://www.cluecon.com 877-7-4ACLUE
>> >>>
>> >>> FreeSWITCH-users mailing list
>> >>>
>> >>> FreeSWITCH-users at lists.freeswitch.org
>> >>>
>> >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >>>
>> >>>
>> >>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >>>
>> >>> http://www.freeswitch.org
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>>
>> >>> Join us at ClueCon 2011, Aug 9-11, Chicago
>> >>>
>> >>> http://www.cluecon.com 877-7-4ACLUE
>> >>>
>> >>> FreeSWITCH-users mailing list
>> >>>
>> >>> FreeSWITCH-users at lists.freeswitch.org
>> >>>
>> >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >>>
>> >>>
>> >>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >>>
>> >>> http://www.freeswitch.org
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Join us at ClueCon 2011, Aug 9-11, Chicago
>> >>> http://www.cluecon.com 877-7-4ACLUE
>> >>>
>> >>> FreeSWITCH-users mailing list
>> >>> FreeSWITCH-users at lists.freeswitch.org
>> >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >>>
>> >>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >>> http://www.freeswitch.org
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Join us at ClueCon 2011, Aug 9-11, Chicago
>> >>> http://www.cluecon.com 877-7-4ACLUE
>> >>>
>> >>> FreeSWITCH-users mailing list
>> >>> FreeSWITCH-users at lists.freeswitch.org
>> >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >>>
>> >>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >>> http://www.freeswitch.org
>> >>>
>> >>>
>> >>
>> >
>>
>> _______________________________________________
>> Join us at ClueCon 2011, Aug 9-11, Chicago
>> http://www.cluecon.com 877-7-4ACLUE
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
> _______________________________________________
> Join us at ClueCon 2011, Aug 9-11, Chicago
> http://www.cluecon.com 877-7-4ACLUE
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>

More information about the FreeSWITCH-users mailing list