# [SOLVED] ssh tunnel and mysql authentication to stream media

## mimosinnet

I need users in a drupal site to be able to stream to an icecast server authenticating with a drupal mysql database.

Icecast allows for a source authentication (you can stream if you provide the username and password), or you need to define individual mountpoints in an xml file. In this situation, it looked easier to have an authentication procedure independent of the icecast xml file using ssh and netcat.

Two users have been created:

- streamauth: it authenticates and opens listening port by calling to a script in the server side.

- streaming: it opens tunnel in the client side to send the data.

To call the script, this is included in the /etc/ssh/sshd_config:

```
Match User streamauth

        ForceCommand /usr/local/bin/streaming.sh
```

/usr/local/bin/streaming.sh is a simple script that authenticates against the mysql database and opens the listening port with netcat:

```
#!/bin/bash

recordar=`cat password`

port="4001"

echo -n "username: "

read usuaria

echo -n "password: "

read contrassenya1

contrassenya1=`echo -n $contrassenya1 | md5sum`

database="generatech_v3"

cerca="select pass from users where name='"$usuaria"'"

contrassenya2=`mysql -u root -p$recordar $database -e "$cerca" -ss -r`

caracters=${#contrassenya2}

if [[ $caracters == "0" ]]

then

        exit

fi

contrassenya1=${contrassenya1:0:$caracters}

if [[ $contrassenya1 == $contrassenya2 ]]

then

        echo "Authenticated"

        echo "Opening port $port for receiving data"

        nc6 -v -l -p $port | oggfwd -p localhost 8000 password /$usuaria.ogg

        exit

else

        echo "Wrong username/password"

        exit

fi
```

With this configuration, the streamauth authenticates the and starts netcat listening to the poart and sending the data to the icecast server with the source password:

```
ssh streamauth@mimosin
```

After the authentication, it is possible to send the stream through a ssh tunnel:

```
ssh -f -L 58001:localhost:4001 streaming@mimosin sleep 10;  cat delvjcorunha01.ogg | nc localhost 58001
```

Although it is now working, I need to have both terminals open (when I close the one with the streamauth user netcat stops listening to the port).

I was wondering if somebody could suggest some other solution or some improvement.

Thanks a lot!Last edited by mimosinnet on Mon Mar 07, 2011 11:45 am; edited 1 time in total

----------

## mimosinnet

After playing with ssh tunnels and netcat, I have discovered that some versions of icecast have stream_auth url authentication:

```
stream_auth

This URL is for determining whether a source or admin request is allowed to proceed. This is only used for source client connections and admin requests which apply to sources.
```

This is available in the icecast-kh branches. With the stream_auth option it is possible to use php to authenticate an icecast stream against a mysql database.

Nice play with ssh tunnels and netcat, though  :Wink: .

Thanks for your reading!

----------

