[asterisk-bugs] [Asterisk 0005424]: [patch] SIP peer authentication on an external database (RADIUS - LDAP)

noreply at bugs.digium.com noreply at bugs.digium.com
Wed Aug 22 03:33:16 CDT 2007 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=5424 
====================================================================== 
Reported By:                phsultan
Assigned To:                oej
====================================================================== 
Project:                    Asterisk
Issue ID:                   5424
Category:                   Channels/chan_sip
Reproducibility:            N/A
Severity:                   feature
Priority:                   normal
Status:                     feedback
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases): trunk 
SVN Revision (number only!): 54702 
Disclaimer on File?:        Yes 
Request Review:              
====================================================================== 
Date Submitted:             10-11-2005 08:44 CDT
Last Modified:              08-22-2007 03:33 CDT
====================================================================== 
Summary:                    [patch] SIP peer authentication on an external
database (RADIUS - LDAP)
Description: 
We have been working on integrating an existing authentication database to
our Asterisk server, for a remote access telephony solution.

We focused on RADIUS and patched Asterisk to have it working. We are
planning to have a backend LDAP server accessed through RADIUS for
authentication in a near future.

The sip.conf file does not contain any secret (clear or hashed), and we
added an attribute 'auth_type' that specifies the type of authentication,
set to PAM in the following example :

	[username]
	type=friend
	context=from-sip-remote-clients
	fromdomain=inria.fr
	auth_type=pam
	host=dynamic



We patched the chan_sip.c file, $Revision: 1.872$. We actually brought the
RADIUS client functionnality for authentication (triggered on registration)
using a PAM module : pam_radius. This is because we expect that other PAM
authentication modules than pam_radius could be used for the same purpose.

The pam_radius module needed also some slight modifications in order to
handle the digest authentication mechanism :
http://bugs.freeradius.org/show_bug.cgi?id=259

We would like to have some feedback about this, thank you in advance.

Best regards, happy Astricon to those concerned!

Philippe Sultan
INRIA

PS : Disclaimer sent on 2005-09-30
====================================================================== 

---------------------------------------------------------------------- 
 phsultan - 08-22-07 03:33  
---------------------------------------------------------------------- 
skvidal : the initial patch used PAM to make Asterisk a RADIUS client that
would authenticate users from a RADIUS server. This approach has been
abandonned, and the RADIUS client Asterisk relies on is the radiusclient-ng
API (also used by Asterisk for handling RADIUS CDRs).

Now, an LDAP server has been added to the authentication resources
Asterisk can use. Asterisk uses the openldap API to be able to authenticate
users.

I'll have to update the 'description' section of this bug report, but the
'additional information' is up to date. I'll have also to update the branch
that contains the code :)

A general comment on authenticating SIP users, following your post on the
forum : keep in mind that SIP uses a challenge/response mechanism for user
authentication, so that actual passwords never travel over the network.
While this mechanism can be reliably used to exchange credentials, it
prevents from using authentication database that would store passwords in
an unreversible encrypted form (SHA or MD5 for example).

Two alternatives for storing passwords for SIP accounts : clear text, or
HA1 string.

XMPP (Jabber) for example, does have this problem, as it comes along with
a flexible authentication mechanism and can be secured with TLS (SIP over
UDP cannot be secured with TLS). 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
08-22-07 03:33  phsultan       Note Added: 0069230                          
======================================================================

More information about the asterisk-bugs mailing list