[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Tilghman Lesher tlesher at digium.com
Thu Nov 12 08:42:28 CST 2009


On Thursday 12 November 2009 08:01:09 Leif Madsen wrote:
> Kai Hoerner wrote:
> > "ATTENTION: If your Asterisk is connected to the internet and you have
> > allowguest=yes, everybody out there may use your default context without
> > authentication. In that case you want to double check which services you
> > offer to the world."
>
> I don't think this is a bad idea, and I've created the following
> documentation patch which implements this note. I've also changed (in my
> patch) the sip.conf.sample file which has 'allowguest=no' uncommented, but
> which preserves the note and code to keep allowguest=yes the default.

I agree with your note, but I disagree with disabling guest access in the
sample configuration.  The reasoning is that we want new users to be able
to get Asterisk to work as easily as possible in the sample configuration.
Even if their SIP phone is not correctly configured with a password. they
should be able to operate the demo.  Once we start complicating the samples,
we run the risk of new users being unable to get over that initial hump and
losing interest, all because they become unable to get Asterisk to respond
with anything other than an error.

There is something magical about the first time you get Asterisk to "respond",
and we don't want to make that moment harder for new users.

-- 
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org



More information about the asterisk-dev mailing list