Coturn authentication configuration is incorrect

[zorun]

I installed coturn on Debian with the configuration from http://docs.bigbluebutton.org/2.2/setup-turn-server.html

I got this warning/error:

CONFIGURATION ALERT: You specified --lt-cred-mech and --use-auth-secret in the same time.
Be aware that you could not mix the username/password and the shared secret based auth methohds. 
Shared secret overrides username/password based auth method. Check your configuration!

Reading the man, it seems that use-auth-secret supersedes lt-cred-mech, so only use-auth-secret should be kept. This is consistent with the warning message ("Shared secret overrides username/password based auth method") and with the example configuration shipped in the Debian package:

# Be aware that use-auth-secret overrides some part of lt-cred-mech.
# Notice that this feature depends internally on lt-cred-mech, so if you set
# use-auth-secret then it enables internally automatically lt-cred-mech option
# like if you enable both.
#
# You can use only one of the to auth mechanisms in the same time because,
# both mechanism use the username and password validation in different way.
#
# This way be aware that you can't use both auth mechnaism in the same time!
# Use in config either the lt-cred-mech or the use-auth-secret
# to avoid any confusion.

Note that this is coturn from Debian stretch-backports (version 4.5.1.0, while Ubuntu 18.04 has 4.5.0.7, I don't expect it would make a huge difference)

[ffdixon]

Thanks for the feedback. Could you install coturn using bbb-install.sh, see

https://github.com/bigbluebutton/bbb-install#install-a-turn-server

and let us know if the configuration is correct or not. If correct, we can update the docs to match.

[rasos]

I have checked a fresh coturn install with the bbb-install.sh script. It also puts those two lines in the coturn.conf

# The long-term credential mechanism is required for WebRTC
lt-cred-mech

lt-cred-mech seems not to override use-auth-secret as long as no user:pw pair is defined. As we use the latter, the two lines should not be part of the config nor the docs to avoid conflicts.

[zorun]

So, I checked coturn on Ubuntu 18.04 with the bbb-install.sh script and it does indeed enable lt-cred-mech.

However, I could not see the same CONFIGURATION ALERT warning, even when looking at the stdout of turnserver (see below). I guess the warning was added between 4.5.0.7 and 4.5.1.0. I still think that these two options are incompatible and that lt-cred-mech should be removed (both in bbb-install.sh and in the doc).

Additional notes: there are a number of differences with Debian because Ubuntu 18.04 still uses the /etc/init.d/coturn script instead of a systemd unit file. Most notably, the log file does not contain all logs! Some messages from turnserver are only sent on stdout. I will suggest moving to syslog in another ticket.

[toto4ds]

bbb-install.sh and in the doc don't change still

[hex-m]

related documentation PR: https://github.com/bigbluebutton/bigbluebutton.github.io/pull/138

Update:

The coturn config file and a developer explain that you should never use lt-cred-mech and use-auth-secret at the same time. lt-cred-mech would only make sense, if you also specify credentials so that shouldn't even work in the current configuration.

Looking at other projects, Jitsi Meet, Nextcloud Talk and Matrix Synapse all suggest to not use lt-cred-mech. But Kurento only mentions lt-cred-mech and user authentication.

Update: Janus has another description of the different possible TURN configurations.

[hex-m]

LiveKit brings some changes to this topic. According to https://github.com/livekit/livekit/issues/2245 it depends on lt-cred-mech.