[Freeswitch-users] Directory and ACL authentication

Steven Ayre steveayre at gmail.com
Wed May 7 14:24:49 MSD 2014 

I retract that. Given that it's a security-related topic it made sense to
check the code to verify.

'grep allow_empty_password src/mod/endpoints/mod_sofia/*'
switch_bool_t allow_empty_password = SWITCH_TRUE;

The default is in fact to allow them, so if you want to refuse them yes you
*will* need that parameter.


On 7 May 2014 11:15, Steven Ayre <steveayre at gmail.com> wrote:

> I would assume that's the default.
>
>
> On 6 May 2014 20:31, Victor Chukalovskiy <victor.chukalovskiy at gmail.com>wrote:
>
>>  Great, thank you Antony. I confirm it works either way now....it was a
>> super quick one.
>>
>> On a similar topic, do I have to set this in the domain params?
>> <param name="allow-empty-password" value="false"/>
>>
>> This is to keep things failproof, given I only set CIDR and no password
>> for my users.
>>
>>
>>
>> On 14-05-06 03:07 PM, Anthony Minessale wrote:
>>
>> Patch added to make it work either way but previously you don't need:
>>
>>  <domain>
>>  <users>
>>    <user>...</user>
>>     <user>...</user>
>>   </users>
>> </domain>
>>
>>  Just:
>>
>>  <domain>
>>   <user>...</user>
>>   <user>...</user>
>>  </domain>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, May 6, 2014 at 1:47 PM, Victor Chukalovskiy <
>> victor.chukalovskiy at gmail.com> wrote:
>>
>>>  Ok, done: https://jira.freeswitch.org/browse/FS-6506
>>>
>>> Also, added comment to the WiKi until this is fixed:
>>> https://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#Groups
>>>
>>>
>>> On 14-05-06 12:32 PM, Steven Ayre wrote:
>>>
>>> I'd go with a Jira. Either it's an oversight, or there's a reason for it
>>> that can be tracked in Jira and then the wiki updated referencing the
>>> ticket.
>>>
>>>
>>>  On 5 May 2014 21:38, Victor Chukalovskiy <victor.chukalovskiy at gmail.com
>>> > wrote:
>>>
>>>>  Alright, thank you! Domains ACL works BUT requires "users" to be in
>>>> "groups". If "users" are directly in the "domain" section, ACL remains
>>>> empty.
>>>>
>>>> This is contradictory to the WiKi saying that: "Using groups is
>>>> optional -- you can put your users straight into the domain section if you
>>>> desire". Should I file Jira or should I edit WiKi instead? :)
>>>>
>>>> With regards to directory, I intend to keep it minimalistic:
>>>>
>>>> <user id="foo" cidr="1.2.3.4/32">
>>>>   <variables>
>>>>     <variable name="accountcode" value="customer_1"/>
>>>>   </variables>
>>>> </user>
>>>>
>>>> Will someone from a different CIDR be able to place calls as user "foo"
>>>> bypassing any authentication? Note that I don't set any password in params.
>>>> If so, how to secure this on the SIP profile level and keep user
>>>> entries as concise as possible?
>>>>
>>>> Thanks again!
>>>> -Victor
>>>>
>>>>
>>>> On 14-05-05 12:24 PM, Steven Ayre wrote:
>>>>
>>>> You need this:
>>>>     <param name="apply-inbound-acl" value="domains"/>
>>>>
>>>>
>>>>
>>>> On 5 May 2014 17:13, Victor Chukalovskiy <victor.chukalovskiy at gmail.com
>>>> > wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> Coming from wholesale background, my FS's run without any
>>>>> registrations.
>>>>> So far everything was ACL-based using "apply-inbound-acl" and I did not
>>>>> use any directory entries.
>>>>>
>>>>> The only problem with this is that once I have all IPs together in one
>>>>> big ALC, I can't identify which customer the call came from. E.g. need
>>>>> to set my_channel_variable=customer1 if a call came from particular IPs
>>>>> and my_channel_variable=customer2 if a call came from other IPs.
>>>>>
>>>>> So I'm trying to move ACL logic into directory by means of defining a
>>>>> user with cidr attribute. So far, no matter what I do FS challenges
>>>>> INVITE with "407" even-though the INVITE comes from the IP that is
>>>>> included in CIDR attribute for a user. I suppose for whatever reason
>>>>> switch does not match INVITEs against CIDR's in the directory. Please
>>>>> help me with that. WiKi is written from a somewhat different logic /
>>>>> perspective, so it's hard to apply.
>>>>>
>>>>> My SIP profile is:
>>>>>
>>>>> <profile name="test">
>>>>>    <gateways>
>>>>>    </gateways>
>>>>>    <domains>
>>>>>    </domains>
>>>>>    <settings>
>>>>>      <param name="parse-invite-tel-params" value="true"/>
>>>>>      <param name="user-agent-string" value="test"/>
>>>>>      <param name="debug" value="0"/>
>>>>>      <param name="sip-trace" value="no"/>
>>>>>      <param name="log-auth-failures" value="true"/>
>>>>>      <param name="rfc2833-pt" value="101"/>
>>>>>      <param name="sip-port" value="5060"/>
>>>>>      <param name="dialplan" value="XML"/>
>>>>>      <param name="context" value="test"/>
>>>>>      <param name="country" value="e164"/>
>>>>>      <param name="dtmf-duration" value="2000"/>
>>>>>      <param name="inbound-codec-prefs"
>>>>> value="$${default_codec_prefs}"/>
>>>>>      <param name="outbound-codec-prefs"
>>>>> value="$${default_codec_prefs}"/>
>>>>>      <param name="caller-id-type" value="none"/>
>>>>>      <param name="rtp-timer-name" value="soft"/>
>>>>>      <param name="rtp-ip" value="192.168.1.2"/>
>>>>>      <param name="sip-ip" value="192.168.1.2"/>
>>>>>      <param name="manage-presence" value="false"/>
>>>>>      <param name="manage-shared-appearance" value="false"/>
>>>>>      <param name="inbound-codec-negotiation" value="greedy"/>
>>>>>      <param name="disable-transcoding" value="true"/>
>>>>>      <param name="manual-redirect" value="false"/>
>>>>>      <param name="disable-transfer" value="true"/>
>>>>>      <param name="disable-register" value="false"/>
>>>>>      <param name="auth-calls" value="true"/>
>>>>>      <param name="rtp-timeout-sec" value="300"/>
>>>>>      <param name="rtp-hold-timeout-sec" value="1800"/>
>>>>>      <param name="pass-callee-id" value="false"/>
>>>>>    </settings>
>>>>> </profile>
>>>>>
>>>>>
>>>>> Thanks!
>>>>> -Victor
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> 
>>>>> 
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://wiki.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>>>
>>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>>
>>>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>>
>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>
>>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>>
>>  --
>> Anthony Minessale II       ♬ @anthmfs  ♬ @FreeSWITCH  ♬
>>
>>http://freeswitch.org/http://cluecon.com/>> http://twitter.com/FreeSWITCH
>>  ☞ irc.freenode.net #freeswitch ☞ *http://freeswitch.org/g+
>> <http://freeswitch.org/g+>*
>>
>>  ClueCon Weekly Development Call
>>  ☎ sip:888 at conference.freeswitch.org  ☎ +19193869900
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>
>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>
>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>>
>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140507/2f129aeb/attachment-0001.html

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list