Password Recovery

MSRPRelay with Python Server ( http://msrprelay.org )

A typical use of MSRP is instant messaging sessions initiated via SIP. Unlike page-mode instant messaging, which is done via the SIP MESSAGE request, MSRP uses a different communication channel which is negotiated via INVITE-200 OK-ACK.

However, MSRP is still a text-based protocol. It uses several routing mechanisms similar to what exists in SIP. Furthermore, MSRP requires TCP, and recommends TLS for confidentiality and security. 

 

MSRP can be used within a SIP session:

MSRP session is set up through SIP's offer-answer model. The SDP m-line media type is message and the protocol is either TCP/MSRP for MSRP over TCP and TCP/TLS/MSRP for MSRP over secure TLS. Furthermore, the MSRP URI is specified in a path attribute.

A full SDP example, as provided by the RFC:

   v=0
   o=alice 2890844526 2890844527 IN IP4 alice.example.com
   s= -
   c=IN IP4 alice.example.com
   t=0 0
   m=message 7394 TCP/MSRP *
   a=accept-types:text/plain
   a=path:msrp://alice.example.com:7394/2s93i9ek2a;tcp

 

 MSRPRelay Server Features:

  • Multiple domains supported
  • TLS encryption and digital certificates unsing GnuTLS
  • Digest or basic HTTP authentication with support for multiple realms
  • Database passwords can be stored in an encrypted format

Install as Debian Package

Add these lines to /etc/apt/sources.list:

# AG Projects software
deb http://ag-projects.com/debian unstable main
deb-src http://ag-projects.com/debian unstable main

Install the AG Projects debian software signing key:

sudo wget -O /etc/apt/trusted.gpg.d/agp-debian-key.gpg http://download.ag-projects.com/agp-debian-key.gpg

After that, run:

sudo apt-get update
sudo apt-get install mrsprelay

If you have installed the debian package you can skip forward to the Configure the server section.

Ubuntu notes

There is a known compatibility issue with Ubuntu shipped libgcrypt11 library. If you have configured AG Projects debian repository, install this version instead:

 

sudo apt-get install libgcrypt11=1.5.0-3ubuntu1+agp

Configure the server

A sample configuration file is provided as config.ini.sample. All configuration options are documented in this file.

Configure the MSRP Relay by copying config.ini.sample to config.ini and editing it. At the very least the certificates need to be provided and the authentication backend needs to be configured.

Generate a TLS certificate/key pair. For documentation on how to do this, see the "tls" directory.

Typically, both TLS certificate/key pair and configuration file would be i nstalled in /etc/msrprelay. This is not needed however, as MSRP Relay looks for the configuration file in its local directory. Alternatively, the configuration filename and location may be specified on the command line using the --config-file option.

If you don't have a running user database to connect to you can test using the in-memory backend as described.

The software will reload its configuration file when it receives the HUP signal. All of the already established sessions will continue to operate using the old settings until a disconnection occurs within this session. This allows for changes in the configuration without disruption of service.

NOTE: at this moment the backend configurations are not re-read.

Configure DNS

For each domain served by the relay the following DNS record must be added to the name servers authoritative for the domain:

_msrps._tcp.example.com. IN SRV 0 0 2855 msrprelay.example.com.
msrprelay.example.com.   IN A 10.0.0.1

Replace the domain name, hostname and IP address with the real ones.

Multiple relays per domain

For allowing multiple relays for each domain you must either:

  1. Create multiple SRV DNS records pointing to multiple hostnames or
  2. Create one SRV record that point to one hostname and add multiple A records for that hostname pointing to multiple IP addesses. When doing so it is important that each relay is configured with a hostname that is resolvable in the DNS to his own IP address.

Running the server

Start the MSRPRelay, either by executing:

./msrprelay --no-fork

or as a daemon, which is the default behaviour.

This can also be done using the init.d script:

/etc/init.d/msrprelay start

When started as a deamon MSRPRelay will log its messages to syslog.

Example config file:

 

; MSRP Relay example configuration file
;
; This configuration file consists of two subsections:
;
; - a global configuration section under the "Relay" heading
; - a configuration section per username/password retrieval backend

; Global configuration

[Relay]

; mandatory setting
; The X509 certificate file to use during the TLS handshake. A path that
; does not start with / is relative to /etc/msrprelay/ folder
certificate = tls/msrprelay.crt

; mandatory setting
; The X509 private key file to use during the TLS handshake. A path that
; does not start with / is relative to /etc/msrprelay/ folder
key = tls/msrprelay.key

; Local IP address and port to listen on. Default is to listen on all addresses
; for this host on port 2855, the default IANA MSRP port.
address = msrp.example.com:9000

; Allow other methods besides the standard (SEND, REPORT, NICKNAME) to be forwarded through the relay
; allow_other_methods = Yes

; Disable TLS and use TCP only for this MSRP Relay. As this breaks with
; specifications, only use it for debugging purposes.
debug_notls = Yes

; Log failed AUTH attempts to the syslog or console.
; log_failed_auth = No

; Maximum ammount of times a newly connected client can re-try an AUTH before
; it gets disconnected.
; max_auth_attempts = 3

; The number of seconds a AUTH challenge, once issued, remains valid
; auth_challenge_expiration_time = 15

; mandatory setting
; The default backend to use for username/password retrieval. Backend names
; refer to modules in the backend package.
backend = database
;backend = memory

; The hostname to present in Use-Path MSRP URIs. Normally this need not be
; specified, as it is fetched automatically from the subject alternative name
; of the TLS certificate. If TLS is disabled and the hostname value is not
; specified, the IP address on which the relay is listening will be used.
hostname = msrp.example.com

; If this value is not specified, the domain part of the authentication is
; taken to be the host part of the URI in the To-Path of the AUTH request. As
; this requires provisioning of SRV records, the value can be manually
; overridden here. Note that this implies that all users are authenticated in
; this, and only this, domain.
default_domain = msrp.example.com

; The logging level can be one of CRITICAL, ERROR, WARNING, INFO and DEBUG,
; in increasing order of verbosity. The default value is DEBUG
; log_level = DEBUG

;
; Backend configuration
;

[Database]

; The Database backend does username/password retrieval from a database
; accessible my SQLObject. By default this is configured to access an
; OpenSIPS database. As the table and column names are configurable this
; could be any database.

; The URI used to access the database, including username and password. Check
; the SQLObject documentation for syntax.
uri = mysql://kamailio:kamailiorw@localhost/kamailio

; If this option is set the database will be queried for literal passwords.
; Otherwise, the "ha1" digest hash will be requested.
cleartext_passwords = No

; The name of the database table to consult.
subscriber_table = subscriber

; The username column.
username_col = username

; The domain column.
domain_col = domain

; The password column, consulted if cleartext_passwords is set
;password_col = ha1

; The ha1 column, consulted if cleartext_passwords is not set
ha1_col = ha1


[Memory]

; A simple to use memory backend useful for testing purposes. Each entry is
; a username/password pair.

alice@example.com = 1234
bob@example.com = 1234