[asterisk-dev] chan_sip SIP Authentication
klaus.mailinglists at pernau.at
Fri Jan 30 01:34:24 CST 2009
Philipp Kempgen schrieb:
> Johansson Olle E schrieb:
>>> Klaus Darilion schrieb:
>>>> I think changing the priority (peer before user) might be a
>>>> solution as
>>>> well. Actually if someone uses "peers" for gateways and "users" for
>>>> clients IMO the gateways should have higher priority. Another
>>>> option would be the order in sip.conf.
>> But the recommendation still stands: You shalt not mix namespaces.
> Just that there are no namespaces. A separate namespace for device
> names has to be simulated by prefixing them with something that is
> guaranteed not be be found in an extension, such as "device--",
> provided the admin doesn't allow "--" in extensions.
> For obvious reasons it would be a bad idea to prefix extensions
> with an artificial string.
As the system I currently set up is purely uses phone numbers, I think I
prefix the username just with a single letter, that will give me 2
>> You will confuse yourself and, if you are a service provider,
>> reveal phone numbers in signalling that in some cases are supposed
>> to be hidden. In Sweden, that will even be against regulation.
> Is it ok to reveal device names then?
> And BTW: Thanks for adding
Yes, great. But one question:
> Note: The parameter "username" is not the username and in most
> cases is not needed at all. Check below. In later releases,
> it's renamed to "defaultuser" which is a better name, since it
> is used in combination with the "defaultip" setting.
I do not understand that clearly. I always thought that "username" is
the authentication user. (in this cause it should be renamed to authuser)
The other appearances make me think that "username" is also allowed for
users - but it is not listed in the user section.
btw: shouldn't it be possible to configure a peer's outgoing and
incoming credentials separate? (Using [authentication] realm does not
solve this when peers use the same realm)
> So what about completely random names such as "account--2hs9n"?
Actually this is really PITA. Maybe the namespace separation should be
done on the full SIP URI, not only the user part, e.g. use
sip:+4312345 at pbx.example.com for the SIP account, but use
sip:+4312345 at gw.example.com for phone numbers. I know Asterisk supports
a multi domain mode - but I have never used it yet. So, would this be
possible to prevent the "user" matching the "peer" if domain mode is
activated and GW uses a different domain?
Of course even nicer would be if the GW uses tel:+4312345 in the From
header, then the "user" should not match too.
> But then again I still need to think about what influence this
> might have on SIP <--> ISDN interworking for example.
> Philipp Kempgen
More information about the asterisk-dev