Skip to main content
A
Anonymous
February 19, 2010
Question

Securing live stream - nasty surprise

  • February 19, 2010
  • 2 replies
  • 2925 views

Hi all,

I have a nasty problem with FMIS (note - NOT FMS, we purposely paid for the vastly more expensive FMIS so we could make use of the authentication plugin)...

I've set this up on a test Linux box (lastest 3.5.3 version), and installed the authentication plugin[1] as I want to prevent people from live streaming through the server without entering a valid username/password combination - to prevent stuff like this: http://forums.adobe.com/thread/563796?tstart=60 from happening.


The auth plugin has been installed, and a user created. I have confirmed that this part works, as when I try to connect using Flash Media Live Encoder, I can't stream without providing a username/password. So at this point, I thought "job done", and that the authentication plugin had worked.

However, when using some other software product ("Wirecast" : http://www.telestream.net/wire-cast/overview.htm) I discovered that this can still stream through our server without providing a username/password. As another test, if I connect to the server and go to the sample "interactive" apps, I can stream my webcam through the server without entering any username/password.

It appears that a password is only required if using Flash Media Live Encoder - if I set the user agent in Wirecast to either "FME/2.5" or "FMLE/3.0" (dumping the strings in the libconnect.so library shows those useragents hard-coded in there), I get prompted for authentication details, but using the default useragent of "Wirecast/FM 1.0" I can connect and broadcast without entering authentication details.

As far as I can tell, this appears to be a major security issue, as it seems that the authentication plugin will let all unknown or forged user agents stream through a FMIS server without requiring any authentication details. This is particularly nasty, as with the authentication plugin installed and tested against the Live Encoder, you probably thought that things were sorted and working as expected.

Has anyone else had this issue ? Can anyone else with FMIS and the authentication plugin installed test to see if they can stream through the /live application without entering username/password combinations ? Am I missing something painfully obvious here - should I configure anything else in the server somehow ?

Thanks,

-Mark

[1]=http://www.adobe.com/go/learn_fms_authaddin_en

    This topic has been closed for replies.

    2 replies

    A
    aruser
    Known Participant
    August 30, 2010

    I have just downloaded the latest version of Flash Media Streaming Server, in which the auth-plugin is now supported.

    How can I create the user name and password for the Adobe Live Encoder to connect, it is running on Linux I have looked at the docs and have not found anything?

    If I disable the allowedSWF domains will this prevent archvived media from playing?

    Any help would be great,

    A
    Anonymous
    February 19, 2010

    Hi Mark,

    The page, https://www.adobe.com/cfusion/entitlement/index.cfm?e=fmle3 does state clearly that the Authentication Add In is to authenticate connections coming in from Flash Media Live Encoder to Flash Media Server only. So that would not work if you are publishing via other means to FMS.

    But you can still accomplish that by writing your own custom authentication module by using the Authorization plugin wherin based on the user agent of the connecting client you could allow/disallow publish.For more details on how to use the Authorization plug-in please refer the flashmediaserver_3.5_plugin_dev.pdf in FMS docs.

    Thanks

    Mamata

    A
    Anonymous
    February 19, 2010

    Or, since you have FMIS, you could just as well handle authentication with server side actionscript.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices