[asterisk-dev] bug or feature (use From: instead of Digest username to match INVITE) ?

Johansson Olle E olle at voop.com
Wed Oct 11 12:52:38 MST 2006


10 okt 2006 kl. 01.40 skrev Kevin P. Fleming:

> ----- Luigi Rizzo <rizzo at icir.org> wrote:
>> I am not sure how to handle this. Maybe i miss that, but what's wrong
>> in using the "username" entry in the Proxy-Authorization: line
>> to lookup the matching entry in the users list ?
>
> This is a design problem with the way that Asterisk handles SIP  
> authentication. It should be domain-based, but it is not.
>
> The simple answer to your question is: we need to know what user it  
> is before we have asked for authentication, so we don't have the  
> Proxy-Authorization information yet.
>
> There are two options: either request authentication for all  
> incoming INVITEs, or request authentication based on the target URI  
> being requested and the domain of the requestor (this is 'domain  
> based' authentication).

This is something I started coding earlier in chan_sip2 and realized,  
as Kevin says, it's deep down in the core
design of chan_sip and can't easily be fixed. It's a catch22. We need  
to know before we challenge who we are
challenging and without an auth header, we have no auth user name -  
so we can't base any auth on the auth
user name alone. Yet.

Chan_sip3 will have a different algorithm for authentication and  
matching. Btw, it will not have users, nor peers.
And each domain will have it's own name space.

But we still have to remember that the extension namespace and the  
device naming namespace are two different
things in Asterisk. We should not try to merge them, it will just be  
confusing. Not using the From: username
will remove this particular confusion.

However, remember that many providers has a policy that the From:  
user name (caller ID) and the auth user ID
needs to match. It still has to be possible to enforce such a policy  
with Asterisk.

/O



More information about the asterisk-dev mailing list