From 52d59f187c83da8e94cfacf29232794ef8bc82f9 Mon Sep 17 00:00:00 2001 From: see Date: Wed, 27 Apr 2022 16:36:26 +0200 Subject: [PATCH] updated knowledge on authentication issue --- .../image/resources/turnserver.conf | 41 ++++++++++++++++--- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/infrastructure/docker-coturn/image/resources/turnserver.conf b/infrastructure/docker-coturn/image/resources/turnserver.conf index 82c970e..d558964 100644 --- a/infrastructure/docker-coturn/image/resources/turnserver.conf +++ b/infrastructure/docker-coturn/image/resources/turnserver.conf @@ -1,5 +1,6 @@ # location of example configuration ## https://github.com/coturn/coturn/blob/master/docker/coturn/ +## https://github.com/coturn/coturn/blob/master/README.turnserver - Line 666 for TURN REST API listening-port=3478 tls-listening-port=5349 @@ -13,7 +14,7 @@ total-quota=100 bps-capacity=0 no-udp #?? no-tcp #?? -# stale-nonce=600 # Authentication Issue +# stale-nonce=600 # Authentication Issue - when to force re-authentication in seconds cert=/etc/ssl/certs/stun.kuketz-meet_ecdsa.pem # same as jitsi? pkey=/etc/ssl/private/stun.kuketz-meet_ecdsa.key # same as jitsi? cipher-list="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" @@ -24,15 +25,43 @@ log-file=/var/log/coturn.log # simple-log # We want logs with pid and date in the name no-multicast-peers # cli-port=5766 # do we want cli access? -#cli-password=SOME_SALTED_PW # do we want a cli password? +# cli-password=SOME_SALTED_PW # do we want a cli password? no-tlsv1 no-tlsv1_1 # Authentication Issue -> restrict access to only jitsi server ? -## 1 use-auth-secret? -## 2 if yes: what secret to define -## 3 reauthentication only possible with auth-secret -## There seems to be a userdb file for authentication +## Authentication mechanisms: +## no-auth [default] - allows anonymous access +## lt-cred-mech - long time credential mechanism, do not use with use-auth-secret +## oauth - sets the possibility for oAuth +## server-name= - sets the server name which is used for oAuth + +## [define a user in config (this file), command line, or userdb file] - sets lt-cred-mech as default +### user=username1:key1 +### or +### user=username1:password1 +### Keys must be generated by turnadmin utility. The key value depends +### on user name, realm, and password: +### +### Example: +### $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic +### Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee +### ('0x' in the beginning of the key is what differentiates the key from +### password. If it has 0x then it is a key, otherwise it is a password). +### +### The corresponding user account entry in the config file will be: +### +### user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee +### Or, equivalently, with open clear password (less secure): +### user=ninefingers:youhavetoberealistic + +## use-auth-secret - sets the TURN REST API flag +### This option is used with timestamp: +### usercombo -> "timestamp:userid" +### turn user -> usercombo +### turn password -> base64(hmac(secret key, usercombo)) + +## we can use a database for storing users and secrets for the TURN REST API # CLI Security ## do we want a password?