TURN Long term credentials using Keys

[Afaque H]

Hi,

I am trying to use the long term credentials using the dynamic user database file for WebRTC application. When I use normal username and passwords, everything's works fine. However, when I try to use those credentials with keys, I am getting 401 Unauthorized error form the TURN server. I will write down the steps that I've carried out, let me know if I am doing something wrong.

1. I first generate a key for a user say John using the turnadmin.
2. I add the following entry in the turnuserdb.conf file : John:0x5758abfebf8810a8befae5c1d8653d01
3. I un-comment the appropriate lines in the turnserver.conf file.
4. I provide the credentials in a WebRTC application as in the file attached 'TurnCredentials'.
5. When I run the WebRTC application, I the get following error: "14: session 001000000000000001: user <John>: incoming packet message processed, error 401: Unauthorised" from the TURN server. I've attached the log file with this post.

Let me know of your comments.

Thanks, 

Afaque.

          

[Oleg Moskalenko]

see below in the text:

On Mon, Jun 30, 2014 at 1:39 AM, Afaque H <afaq...@gmail.com> wrote:

Hi,

I am trying to use the long term credentials using the dynamic user database file for WebRTC application. When I use normal username and passwords, everything's works fine. However, when I try to use those credentials with keys, I am getting 401 Unauthorized error form the TURN server. I will write down the steps that I've carried out, let me know if I am doing something wrong.

1. I first generate a key for a user say John using the turnadmin.

you did not forget to use the realm parameter, right ?

 

1. I add the following entry in the turnuserdb.conf file : John:0x5758abfebf8810a8befae5c1d8653d01

right 

 

1. I un-comment the appropriate lines in the turnserver.conf file.
2. I provide the credentials in a WebRTC application as in the file attached 'TurnCredentials'.

I cannot evaluate his one 

1. When I run the WebRTC application, I the get following error: "14: session 001000000000000001: user <John>: incoming packet message processed, error 401: Unauthorised" from the TURN server. I've attached the log file with this post.

a single 401 error in the beginning of every session is OK, this is a part of the dialog - but after that the session must be authenticated properly.

 

Let me know of your comments.

Thanks, 

Afaque.

          

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.
Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

[Afaque H]

Hi Oleg,

Sorry for not providing enough information.

1. Yup, for generating a key for a user I do use the realm parameter. Here's the command that I use to generate a key:

   
    turnadmin -k -u Bart -r xxx.xx.xx -p Simpson

    where appropriate value is provided instead of xxx.xx.xx.

2. I add the following line to the turnuserdb.conf: Bart:0x5824fac497b93912e81b1db816803ca8

    I also have an entry in that file with normal passwords: webrtcuser:test

3. Attached is my turnserver.conf file. In that file, the realm value is appropriately replaced instead of xxx.xx.xx.

4. I start the turnserver using the command line (just for testing): sudo turnserver & 

5. I use the turnutils_uclient for testing the installed TURN server.

    First I test it with normal username and password:

    turnutils_uclient -p 443 -u webrtcuser -w test 131.160.85.228

    And everything works fine.

    But when I try this command: 

    turnutils_uclient -p 443 -u Bart -w 0x5824fac497b93912e81b1db816803ca8 131.160.85.228

    I get:  0: Cannot complete Allocation

             0: ERROR: Cannot complete Allocation 

6. I've attached the TURN server log file containing both a successful allocation and an unsuccessful one. 

Let me know if you need more information.

Thanks,

Afaque. 

[Oleg Moskalenko]

The turnutils_uclient program in the -w option accepts only plain password as the option value. It then converts it to the key, internally. Use the open password ('Simpson" ?) as the -w option.

[Afaque H]

I tried with open password:  turnutils_uclient -p 443 -u Bart -w Simpson 131.160.85.228

Still the same result.

[Oleg Moskalenko]

There must be a typo somewhere or something like that.

Try to do the experiment:

) go to the project root directory.

2) Edit the file examples/scripts/longtermsecure/secure_relay.sh: remove the --user parameters from the command-line in that script.

3) Edit the file examples/etc/turnuserdb.conf: uncomment the line with the user ninefingers key.

4) Start the examples/scripts/longtermsecure/secure_relay.sh.

5) Start the examples/scripts/longtermsecure/secure_udp_c2c.sh

You will see that the ninefingers credentials are taken from the turnuserdb.conf file. 

Now, try to figure out how your configuration is different from the configurations in 

examples/scripts/longtermsecure/secure_udp_c2c.sh,

examples/scripts/longtermsecure/secure_relay.sh and examples/etc/turnuserdb.conf.

You can substitute your own user data in those files and see how it works.

Oleg

[Robert Wang]

Have you uncomment the userdb in the turnserver.config?

# Default file name is turnuserdb.conf. 

userdb=/etc/turnuserdb.conf 

I also got 401 unauthorized. But after I uncomment the userdb, everything works just fine!

Afaque H於 2014年7月1日星期二UTC+8下午9時34分54秒寫道：