These are two access plugins for Adobe Media Server that prevent unauthorized clients from publishing to your server. They are currently for the 64-bit Linux edition of AMS only.
Yes they do, but it has two major flaws:
- It's very easily circumvented. It only checks those clients that connect with an FMLE user-agent string. Any client that supplies a different user-agent string (which, for example, Wirecast does by default) is simply let through without any authentication whatsoever.
- It only supports clients that implement Adobe's challenge-response authentication protocol, which many standard RTMP clients don't.
There are actually two separate plugins for two separate use cases:
-
The chain plugin. It chain-loads Adobe's original access plugin and passes off any connection from FMLE to that plugin so that the usual user/password authentication system can be used. However, it also fixes the big security problem that Adobe's plugin has by revoking write access for all non-FMLE clients so they won't be able to publish. Use this plugin if you only use encoders supporting Adobe's FMLE authentication system (such as FMLE and Wirecast).
-
The key plugin. It requires all publishing clients to supply a valid key as part of the RTMP URL they're connecting to. This is a little less secure than the chain plugin because the key will be transmitted in plain text but gives you more flexibility because it works with any regular RTMP client.
Couldn't the same thing be done with server-side ActionScript or by using an auth plugin instead of an access plugin?
Yes, but not if you're running the (less expensive) AMS Standard Edition which doesn't support either of those. Basically, the only way to run custom code in AMS Standard is with access plugins like these.
Yes. In the examples below I've only listed RTMP URLs using the live
application but these plugins will work for any AMS application.
- Install and configure Adobe's FMLE authentication add-in normally. Check that password authentication works with FMLE.
- Make sure g++ and make are installed.
- Change into your AMS access plugin directory (usually
/opt/adobe/ams/modules/access
) and renamelibconnect.so
tolibconnect_chain.so
. - Change into the
chain
source directory and runmake
. It should compile without errors. - If your AMS is not installed in
/opt/adobe/ams
, adjust the InstallDir line inMakefile
. - As superuser, run
make install
. - Restart AMS. You should see a line like
Auth adaptor chain loaded from ...
in syslog and no error messages after that. - You're done. Check that you can still publish with FMLE but can't with, for example, Wirecast.
Note: If you're using Wirecast with the chain plugin you need to set its user-agent to FMLE in the streaming settings.
- Create a file called
keys
in your AMS configuration directory (usually/opt/adobe/ams/conf
) and enter some access keys of your choice, one per line. - Make sure g++ and make are installed.
- Change into the
key
source directory and runmake
. It should compile without errors. - If your AMS is not installed in
/opt/adobe/ams
, adjust the InstallDir line inMakefile
. - As superuser, run
make install
. - Restart AMS. You should see the line
Initializing key access adaptor
in syslog. - You're done. Check that you can still publish when supplying a valid key (see below) but can't when not supplying a key.
To publish, you now need to append ?key=
and one of the keys from your keys
file to your RTMP URL (not the stream name!), for example: rtmp:https://yourserver/live?key=...
If your encoder takes the RTMP URL and the stream name as one combined string it will need to look like this: rtmp:https://yourserver/live?key=.../livestream