Sat 27 June 2004 14:53, Michal Zygmuntowicz wrote: > The database field has to contain exactly the same clear text > password. I just checked 2.0.8 and SQLPasswordAuth with OhPhone > and it works as expected. I can't make it working. I try with OpenPhone in local network. OpenPhone runs on Windows box and Gnugk runs on Linux. Maybe I've got wrong configuration. Here is my gatekeeper.ini: [Gatekeeper::Main] Fourtytwo=42 Name=KaczorekGK TimeToLive=600 [RoutedMode] GKRouted=1 H245Routed=0 CallSignalPort=1721 CallSignalHandlerNumber=1 RemoveH245AddressOnTunneling=0 AcceptNeighborsCalls=1 AcceptUnregisteredCalls=0 SupportNATedEndpoints=1 DropCallsByReleaseComplete=1 #RemoveCallOnDRQ=1 #SendReleaseCompleteOnDRQ=0 #ScreenDisplayIE= #ScreenCallingPartyNumberIE= #ScreenSourceAddress= #ForwardOnFacility=1 #ShowForwarderNumber=1 #Q931PortRange=20000-20999 #H245PortRange=30000-30999 #ConnectTimeout=180000 [Proxy] #Enable=1 #InternalNetwork=10.0.1.0/255.255.255.0,127.0.0.0/8 #T120PortRange=40000-40999 #RTPPortRange=50000-59999 #ProxyForNAT=1 #ProxyForSameNAT=0 #[Endpoint] #Gatekeeper=auto #Gatekeeper=210.58.112.188 #Type=Gateway #H323ID=CitronProxy #E164=18888600000 #Password= #Prefix=18888600,1888890003 TimeToLive=900 #RRQRetryInterval=10 #ARQTimeout=2 #UnregisterOnReload=0 #NATRetryInterval=60 #NATKeepaliveInterval=86400 #[Endpoint::RewriteE164] #188889000=9 [RasSrv::RRQFeatures] #OverwriteEPOnSameAddress=1 #AcceptEndpointIdentifier=1 #AcceptGatewayPrefixes=1 [RasSrv::ARQFeatures] ArjReasonRouteCallToSCN=0 ArjReasonRouteCallToGatekeeper=1 CallUnregisteredEndpoints=1 RemoveTrailingChar=# ParseEmailAliases=1 [RasSrv::RRQAuth] ## On a RRQ the h323-alias is queried from this section. ## If there is an entry the endpoint is authenticated against the given rules. ## If there is no entry the default action is performed. The default action ## is to confirm the RRQ, unless the parameter "default=reject" is given. ## ## Notation: ## <authrules> := empty | <authrule> "&" <authrules> ## <authrule> := <authtype> ":" <authparams> ## <authtype> := "sigaddr" | "sigip" ## <autparams> := [!&]* ## The notation and meaning of <authparams> depends on <authtype>: ## - sigaddr: extended regular expression that has to match agains the ## "PrintOn(ostream)" representation of the signal address of the request. ## Example: "sigaddr:.*ipAddress .* ip = .* c3 47 e2 a5 .*port = 1720.*" ## - sigip: specialized form of "sigaddr". Write the signalling ip adresse ## using (commonly used) decimal notation: "byteA.byteB.byteC.byteD:port" ## Example of the above sigaddr: "sigip:195.71.226.165:1720" ## ## This parameters should consider a HUP signal. #rossi-gt1=sigaddr:.*ipAddress .* ip = .* c3 47 e2 a2 .*port = 1720.* #rossi-gt2=sigaddr:.*ipAddress .* ip = .* c3 47 e2 a5 .*port = 1720.* #rossi-gt3=sigip:195.71.226.165:1720 default=confirm ## The parameter "rule" may be one of the following: ## - "forbid" disallow any connection (default when no rule us given) ## - "allow" allow any connection ## - "explicit" reads the parameter #"<ip>=<value>"# with ip is the ip4-address ## if the peering client. #<value># is resolved with #Toolkit::AsBool#. If the ip ## is not listed the param "default" is used. ## - "regex" the #<ip># of the client is matched against the given regular expression. ## First the ip-rules (like "explicit") are tested. Olny of no such param exists ## the regex is tried. ## Example: "regex=^195\.71\.(129|131)\.[0-9]+$" ## - "password" authenticates clients by asking for username/password ## and it compares them with the username/password pairs stored in this section. ## Set KeyFilled variable and use addpasswd utility to add new username/password pairs: ## addpasswd gnugk.ini GkStatus::Auth gkadmin secret [GkStatus::Auth] rule=allow #rule=deny #rule=explicit #rule=regex # - 195.71.129.* # - 195.71.100.* # - 62.52.26.[1-2][0-9][0-9] #regex=^(195\.71\.(129|100)\.[0-9]+)|(62\.52\.26\.[1-2][0-9][0-9])$ #rule=password #KeyFilled=123 # only used when "rule=explicit" #default=forbid #Shutdown=disable ## ## Beside other things every number to rewrite has its ## own key/value-line. The implemententation is such that ## all numbers that shell be rewritten have to begin ## with a common prefix given by 'Fastmatch'. ## ## Doc From the code: ## // Do rewrite to #newE164#. Append the suffix too. ## // old: 01901234999 ## // 999 Suffix ## // 0190 Fastmatch ## // 01901234 prefix, Config-Rule: 01901234=0521321 ## // new: 0521321999 ## ## The rewrite-numbers function take care of reloads/a HUP signal. [RasSrv::RewriteE164] ## Only if an e164 number begins with #Fastmatch# the ## the further rewriting is done. Only one #Fastmatch# can be given. #Fastmatch= #0190703100=052418088663 #01903142=0521178260 #5241908601903142=521178260 ## ## The GK would send LRQ to its neighbors if the destination of ARQ is unknown. ## A neighbor is selected if its prefix match the destination or ## it has prefix '*'. ## Currently multiple prefixes are supported. ## # # GKID=ip[:port;prefixes;password;dynamic] # [RasSrv::Neighbors] #GK1=203.60.151.5:1719;*;gk1 #GK2=203.60.151.9:1719;02,03 [RasSrv::LRQFeatures] #NeighborTimeout=2 #ForwardHopCount=2 #AlwaysForwardLRQ=0 #AcceptForwardedLRQ=1 #IncludeDestinationInfoInLCF=1 #CiscoGKCompatible=1 ## ## In this section you can put endpoints that don't have RAS support ## or that you don't want to be expired. The records will always ## in GK's registration table. ## However, You can still unregister it via status thread. ## # # ip[:port]=alias,alias,...[;prefix,prefix,...] # [RasSrv::PermanentEndpoints] # For gateway #10.0.1.5=Citron;009,008 # For terminal #10.0.1.10=798 ## ## Authentication mechanism ## ## Syntax: ## authrule=actions ## ## <authrule> := SimplePasswordAuth | LDAPPasswordAuth ## | AliasAuth | LDAPAliasAuth | ... ## <actions> := <control>[;<ras>|<q931>,<ras>|<q931>,...] ## <control> := optional | required | sufficient ## <ras> := GRQ | RRQ | URQ | ARQ | BRQ | DRQ | LRQ | IRQ ## <q931> := Setup ## ## Currently supported modules: ## ## SimplePasswordAuth/SQLPasswordAuth/LDAPPasswordAuth ## ## The module checks the tokens or cryptoTokens ## fields of RAS message. The tokens should contain ## at least generalID and password. For cryptoTokens, ## cryptoEPPwdHash tokens hashed by simple MD5 and ## nestedcryptoToken tokens hashed by HMAC-SHA1-96 ## (libssl must be installed!) are supported now. ## The ID and password are read from [Password] section ## / SQL / LDAP. For backward compatibility, ## MySQLPasswordAuth module can be used instead of SQLPassword auth ## ## NeighborPasswordAuth ## ## The module only check LRQs from neighbors. The ID and ## password are defined in [RasSrv::Neighbors] section. ## ## AliasAuth/ ## LDAPAliasAuth/ The IP of an endpoint with given alias should ## SQLAliasAuth match a specified pattern. For AliasAuth the pattern ## is defined in [RasSrv::RRQAuth] section. ## For LDAPAliasAuth the alias (default: mail attribute) ## and IP (default: voIPIpAddress attribute) must be found ## in one LDAP entry. ## For SQLAliasAuth alias and IP is read from a database. ## For backward compatibility MySQLAliasAuth modules is supported. ## ## RadAuth/RadAliasAuth ## ## The H.235 username/password from RRQ/ARQ message ## or endpoint alias/IP from RRQ/ARQ/Setup message ## is used to authenticate an endpoint/a call using ## RADIUS server. ## ## A rule may results in one of the three codes: ok, fail, pass. ## ## ok The request is authenticated by this module ## fail The authentication fails and should be rejected ## next The rule cannot determine the request ## ## There are also three ways to control a rule: ## ## optional If the rule cannot determine the request, it is passed ## to next rule. ## required The requests should be authenticated by this module, ## or it would be rejected. The authenticated request would ## then be passwd to next rule. ## sufficient If the request is authenticated, it is accepted, ## or it would be rejected. That is, the rule determines ## the fate of the request. No rule should be put after ## a sufficient rule, since it won't take effect. ## ## You can also configure a rule to check only for some particular RAS ## messages. For example, to configure SimplePasswordAuth as a required ## rule to check RRQ, ARQ and LRQ: ## SimplePasswordAuth=required;RRQ,ARQ,LRQ # [Gatekeeper::Auth] SQLPasswordAuth=optional;RRQ SQLAliasAuth=required;RRQ default=reject [SQLPasswordAuth] Driver=MySQL Host=localhost Database=communicator Username=gnugk CacheTimeout=0 Query=SELECT h235password FROM users WHERE alias = '%1' AND active = '1' [SQLAliasAuth] Driver=MySQL Host=localhost Database=communicator Username=gnugk CacheTimeout=0 Query=SELECT authcond FROM users WHERE alias = '%1' AND active = '1' ## ## Destination analysis mechanism ## (must be enabled with compiler option WITH_DEST_ANALYSIS_LIST) ## ## Syntax: ## authrule=actions ## ## <authrule> := OverlapSendDestAnalysis ## <actions> := <control>[;<message>,<message>,...] ## <control> := optional | required | sufficient ## <message> := ARQ | LRQ ## ## Currently supported modules: ## ## OverlapSendDestAnalysis This module checks for incomplete destination ## addresses (not fully implemented up to now). ## ## A rule may results in one of the three codes: ok, fail, pass. ## There are also three ways to control a rule: optional, required, sufficient. ## Additionally you can configure a rule to check only for some particular ## messages. ## (see Authentication mechanism for details informations). # [Gatekeeper::DestAnalysis] #OverlapSendDestAnalysis=required;ARQ #default=reject #default=allow ## ## Use 'make addpasswd' to generate the utility addpasswd ## Usage: ## addpasswd config section userid password ## #[Password] #KeyFilled=123 #CheckID=FALSE #PasswordTimeout=0 #(id=cwhuang, password=123456) #cwhuang=UGwUtpy837k= [MySQLAuth] #Host=localhost #Database=billing #User=cwhuang #Password=123456 #Table=customer #IDField=IPN #PasswordField=Password #ExtraCriterion=Kind < 2 #CacheTimeout=0 [MySQLAliasAuth] #Host=localhost #Database=billing #User=cwhuang #Password=123456 #Table=customer #IDField=IPN #IPField=IPAddr #ExtraCriterion=Kind < 2 #CacheTimeout=0 [SQLPasswordAuth] #Driver=MySQL #Host=localhost #Database=billing #Username=gnugk #Password=secret #CacheTimeout=0 #Query=SELECT password FROM users WHERE alias = '%1' [SQLAliasAuth] #Driver=PostgreSQL #Host=localhost #Database=billing #Username=gnugk #Password=secret #CacheTimeout=0 #Query=SELECT authcond FROM users WHERE alias = '%1' [CallTable] #GenerateNBCDR=TRUE #GenerateUCCDR=TRUE #DefaultCallDurationLimit=21600 #AcctUpdateInterval=0 [GkLDAP::LDAPAttributeNames] #H323ID=mail #IPAddress=voIPIpAddress #TelephonNo=telephoneNumber #H235PassWord=plaintextPassword # Settings for LDAP access [GkLDAP::Settings] #ServerName=ldap #ServerPort=389 #SearchBaseDN=o=University of Michigan, c=US #BindUserDN=cn=Babs Jensen,o=University of Michigan, c=US #BindUserPW=ReallySecretPassword #sizelimit=0 #timelimit=0 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________________ List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/