[asterisk-dev] chan_sip SIP Authentication

Johansson Olle E oej at edvina.net
Fri Jan 30 02:54:06 CST 2009


30 jan 2009 kl. 08.34 skrev Klaus Darilion:

>
>
> Philipp Kempgen schrieb:
>> Johansson Olle E schrieb:
>>>> Klaus Darilion schrieb:
>>
>>>>> I think changing the priority (peer before user) might be a
>>>>> solution as
>>>>> well. Actually if someone uses "peers" for gateways and "users"  
>>>>> for
>>>>> SIP
>>>>> clients IMO the gateways should have higher priority. Another
>>>>> matching
>>>>> option would be the order in sip.conf.
>>
>>> But the recommendation still stands: You shalt not mix namespaces.
>>
>> Just that there are no namespaces. A separate namespace for device
>> names has to be simulated by prefixing them with something that is
>> guaranteed not be be found in an extension, such as "device--",
>> provided the admin doesn't allow "--" in extensions.
>>
>> For obvious reasons it would be a bad idea to prefix extensions
>> with an artificial string.
>
> As the system I currently set up is purely uses phone numbers, I  
> think I
> prefix the username just with a single letter, that will give me 2
> separate namespaces
>
>>> You will confuse yourself and, if you are a service provider,
>>> reveal phone numbers in signalling that in some cases are supposed
>>> to be hidden. In Sweden, that will even be against regulation.
>>
>> Is it ok to reveal device names then?
>>
>> And BTW: Thanks for adding
>> http://svn.digium.com/view/asterisk/branches/1.4/configs/sip.conf.sample?r1=142865&r2=171837
>
> Yes, great. But one question:
>
>> Note: The parameter "username" is not the username and in most
>> cases is not needed at all. Check below. In later releases,
>> it's renamed to "defaultuser" which is a better name, since it
>> is used in combination with the "defaultip" setting.
>
> I do not understand that clearly. I always thought that "username" is
> the authentication user. (in this cause it should be renamed to  
> authuser)
That's a bug that I really should take some time to look into. Using one
parameter for two different things is bad. Really bad. But yes,
for outbound connections it's used as auth user.  Thanks for reminding
me.

>
> The other appearances make me think that "username" is also allowed  
> for
> users - but it is not listed in the user section.
No, it's only used for peers. The name of the user object is whatever  
you
put between square brackets. This is a very common misunderstanding.

>
> btw: shouldn't it be possible to configure a peer's outgoing and
> incoming credentials separate? (Using [authentication] realm does not
> solve this when peers use the same realm)
Check trunk, Klaus. remotesecret=

>
>>
>> So what about completely random names such as "account--2hs9n"?
>
> Actually this is really PITA. Maybe the namespace separation should be
> done on the full SIP URI, not only the user part, e.g. use
> sip:+4312345 at pbx.example.com for the SIP account, but use
> sip:+4312345 at gw.example.com for phone numbers. I know Asterisk  
> supports
> a multi domain mode - but I have never used it yet. So, would this be
> possible to prevent the "user" matching the "peer" if domain mode is
> activated and GW uses a different domain?
Remember that users and peers are not connected to domains... yet.
User matching is for all domains, not a particular domain. That's  
something
I've had in my future design for chan_sip for a long time.


/O



More information about the asterisk-dev mailing list