updated knowledge on authentication issue
This commit is contained in:
parent
eff955eb23
commit
52d59f187c
1 changed files with 35 additions and 6 deletions
|
@ -1,5 +1,6 @@
|
||||||
# location of example configuration
|
# location of example configuration
|
||||||
## https://github.com/coturn/coturn/blob/master/docker/coturn/
|
## https://github.com/coturn/coturn/blob/master/docker/coturn/
|
||||||
|
## https://github.com/coturn/coturn/blob/master/README.turnserver - Line 666 for TURN REST API
|
||||||
|
|
||||||
listening-port=3478
|
listening-port=3478
|
||||||
tls-listening-port=5349
|
tls-listening-port=5349
|
||||||
|
@ -13,7 +14,7 @@ total-quota=100
|
||||||
bps-capacity=0
|
bps-capacity=0
|
||||||
no-udp #??
|
no-udp #??
|
||||||
no-tcp #??
|
no-tcp #??
|
||||||
# stale-nonce=600 # Authentication Issue
|
# stale-nonce=600 # Authentication Issue - when to force re-authentication in seconds
|
||||||
cert=/etc/ssl/certs/stun.kuketz-meet_ecdsa.pem # same as jitsi?
|
cert=/etc/ssl/certs/stun.kuketz-meet_ecdsa.pem # same as jitsi?
|
||||||
pkey=/etc/ssl/private/stun.kuketz-meet_ecdsa.key # same as jitsi?
|
pkey=/etc/ssl/private/stun.kuketz-meet_ecdsa.key # same as jitsi?
|
||||||
cipher-list="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
|
cipher-list="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
|
||||||
|
@ -29,10 +30,38 @@ no-tlsv1
|
||||||
no-tlsv1_1
|
no-tlsv1_1
|
||||||
|
|
||||||
# Authentication Issue -> restrict access to only jitsi server ?
|
# Authentication Issue -> restrict access to only jitsi server ?
|
||||||
## 1 use-auth-secret?
|
## Authentication mechanisms:
|
||||||
## 2 if yes: what secret to define
|
## no-auth [default] - allows anonymous access
|
||||||
## 3 reauthentication only possible with auth-secret
|
## lt-cred-mech - long time credential mechanism, do not use with use-auth-secret
|
||||||
## There seems to be a userdb file for authentication
|
## oauth - sets the possibility for oAuth
|
||||||
|
## server-name= - sets the server name which is used for oAuth
|
||||||
|
|
||||||
|
## [define a user in config (this file), command line, or userdb file] - sets lt-cred-mech as default
|
||||||
|
### user=username1:key1
|
||||||
|
### or
|
||||||
|
### user=username1:password1
|
||||||
|
### Keys must be generated by turnadmin utility. The key value depends
|
||||||
|
### on user name, realm, and password:
|
||||||
|
###
|
||||||
|
### Example:
|
||||||
|
### $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
|
||||||
|
### Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
|
||||||
|
### ('0x' in the beginning of the key is what differentiates the key from
|
||||||
|
### password. If it has 0x then it is a key, otherwise it is a password).
|
||||||
|
###
|
||||||
|
### The corresponding user account entry in the config file will be:
|
||||||
|
###
|
||||||
|
### user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
|
||||||
|
### Or, equivalently, with open clear password (less secure):
|
||||||
|
### user=ninefingers:youhavetoberealistic
|
||||||
|
|
||||||
|
## use-auth-secret - sets the TURN REST API flag
|
||||||
|
### This option is used with timestamp:
|
||||||
|
### usercombo -> "timestamp:userid"
|
||||||
|
### turn user -> usercombo
|
||||||
|
### turn password -> base64(hmac(secret key, usercombo))
|
||||||
|
|
||||||
|
## we can use a database for storing users and secrets for the TURN REST API
|
||||||
|
|
||||||
# CLI Security
|
# CLI Security
|
||||||
## do we want a password?
|
## do we want a password?
|
||||||
|
|
Loading…
Reference in a new issue