|
|
@@ -307,6 +307,30 @@ modparam("registrar", "save_nat_flag", "FLAG_NAT")
|
|
|
#modparam("auth_db", "password_column", "password")
|
|
|
# minimize replay-attack window
|
|
|
modparam("auth", "nonce_expire", 10)
|
|
|
+
|
|
|
+# Enable/disable extra authentication checks using the following modparams.
|
|
|
+# The values are: 1:Request-URI, 2:Call-ID, 4: From tag, 8:source IP
|
|
|
+# The options are disabled by default.
|
|
|
+
|
|
|
+# For REGISTER requests we hash the Request-URI, Call-ID, and source IP of the
|
|
|
+# request into the nonce string. This ensures that the generated credentials
|
|
|
+# cannot be used with another registrar, user agent with another source IP
|
|
|
+# address or Call-ID. Note that user agents that change Call-ID with every
|
|
|
+# REGISTER message will not be able to register if you enable this.
|
|
|
+#modparam("auth", "auth_checks_register", 11)
|
|
|
+
|
|
|
+# For dialog-establishing requests (such as the original INVITE, OPTIONS, etc)
|
|
|
+# we hash the Request-URI and source IP. Hashing Call-ID and From tags takes
|
|
|
+# some extra precaution, because these checks could render some UA unusable.
|
|
|
+#modparam("auth", "auth_checks_no_dlg", 9)
|
|
|
+
|
|
|
+# For mid-dialog requests, such as re-INVITE, we can hash source IP and
|
|
|
+# Request-URI just like in the previous case. In addition to that we can hash
|
|
|
+# Call-ID and From tag because these are fixed within a dialog and are
|
|
|
+# guaranteed not to change. This settings effectively restrict the usage of
|
|
|
+# generated credentials to a single user agent within a single dialog.
|
|
|
+#modparam("auth", "auth_checks_in_dlg", 15)
|
|
|
+
|
|
|
# deal with client's who can't do qop properly
|
|
|
modparam("auth", "qop", "")
|
|
|
#DEBCONF-AUTHSECRET-START
|
Jan Janak