Lukasz I'm a little confused. Are you referring to calling into a Gatekeeper from an Unregistered Endpoint or calling to an unregistered endpoint from a registered endpoint. I am going to assume its the first one. If so then Refer to the manual http://www.gnugk.org/gnugk-manual-8.html#ss8.1 Use [Gatekeeper::Auth] <authrule> = SetupUnreg This will check for a cryptoToken in the incoming setup message from an unregistered caller. If there is not one then the unregistered caller is refused admission. You will need a client that supports cryptoTokens in the setup Message. PacPhone www.pacphone.com does (see http://www.pacphone.com/getstart.htm#1.1.6 ). not all cryptoTokens require OpenSSL support only H.235.1 (MD5 and CAT do not). H.235.1 support was only recently added back to GnuGk and you will need the CVS version of pwlib/OpenH323 How cryptoTokens work in RAS (unrelated to above which is call signalling) is that the endpoint supplies a list of authentication methods it supports to the gatekeeper in the registration process in the GRQ. The gatekeeper returns back a list of common authentication mechanisms (both support) in the GCF and then the endpoint uses one or more of these in the RRQ to register with the gatekeeper. This is fully supported in GnuGK. If you are using GnuGk v2.2.6 (with pwlib/OpenH323 CVS) you can control which authenticators to use. MD5 is not that secure so you might opt to remove it. So you can set. [Gatekeeper::Main] Authenticators=H.235.1,CAT Note: Not all endpoints support H.235.1 but almost all support MD5 so use it with caution. Simon At 09:58 PM 9/08/2007, =?ISO-8859-2?Q?=A3ukasz_Czekierda?= wrote: >Hello, everybody! > >Sorry if the issue was already discussed - there are timeouts when >searching in the archive so I cannot check. > >I would like to strenghten security of RAS communication. >CallUnregisteredEndpoints feature seems to be not implemented (GK always >sends ACF regardless the other side (caller or callee) is registered in GK >or not). Adding a piece of code supporting this feature in >AdmissionRequest::Process seems to be easy, but it makes no sense when >only a simple security is used - unauthorized and unregistered EP could >pass a known endpoint's alias as its own and GK would allow the other EP >(registered) to establish the connection. > >The option to strenghten the security is to use cryptotokens, am I right? > >There is hardly any information about it in the documentation. >I've recompiled gnugk with support of openssl (required?) but not changed >ohphone (I found in its changelog: 2001-08-10 05:06 robertj main.cxx: No >longer need SSL to have H.235 security.) > >Which entity should require strong security with cryptotokens, is it GK? >Should it return in the GCF the authentication method? How to enable it? >At the moment ohphone in GRQ sends two items in authenticationCapability: >authenticationBES and pwdHash, the GK responds in GCF: >authenticationBES:radius. So it seems to me that EP is ready to support >cryptotokens, but GK does not require this. > >I would be grateful for any help. > >With best regards, >Lukasz > > >------------------------------------------------------------------------- >This SF.net email is sponsored by: Splunk Inc. >Still grepping through log files to find problems? Stop. >Now Search log events and configuration files using AJAX and a browser. >Download your FREE copy of Splunk now >> http://get.splunk.com/ >_______________________________________________________ > >Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx >Archive: >http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users >Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users >Homepage: http://www.gnugk.org/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/
