[asterisk-bugs] [JIRA] (ASTERISK-23322) Unable to use SIP INVITE authentication with type=peer and device name mismatch with username

Matt Jordan (JIRA) noreply at issues.asterisk.org
Wed Feb 19 23:40:03 CST 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-23322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=215463#comment-215463 ] 

Matt Jordan commented on ASTERISK-23322:
----------------------------------------

# In general, I don't agree with changing this behaviour as a fix for a bug. While defaulting to using "fromuser" and then falling back to the peer name may seem harmless, this could easily cause authentication issues if the fromuser is different than the peer but the peer had been configured to authenticate as the peer name. Making this change in a release branch seems like a bad idea.
# That leads to considering it as an improvement. As it would be an improvement, the patch would need to be written against trunk, not Asterisk 11.
# As a general improvement, this patch creates a behaviour mismatch in how we perform authentication. We now would authenticate INVITE requests in a fashion different than REGISTER requests, which would be bad. A behaviour change should change how all peers are authenticated, not just how they are authenticated for some requests.

Even so, I'd discourage changing this behaviour. It changes a long standing mechanism in Asterisk for very little gain. The fact that you named your peer something other than what it wanted to authenticate as was a choice you made when you configured Asterisk. That's not a security hole, it's a poor choice in your configuration.
                
> Unable to use SIP INVITE authentication with type=peer and device name mismatch with username
> ---------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-23322
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23322
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 11.7.0
>            Reporter: Igor Nikolaev
>            Assignee: Igor Nikolaev
>            Severity: Trivial
>         Attachments: asterisk-chan_sip-inbound-invite-auth.patch
>
>
> Scenario:
> sip.conf
> {noformat}
> [devicename]
> type=peer
> fromuser=authuser
> secret=...
> {noformat}
> In this case if devicename not equal authuser you need add statement "insecure=invite" for receiving incoming calls. But this INVITEs is not authenticated by receiving system. It's security hole.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list