[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

[Atis Lezdins]

On Thu, Nov 12, 2009 at 5:00 PM, Jared Smith <jsmith at digium.com> wrote:
> On Thu, 2009-11-12 at 08:42 -0600, Tilghman Lesher wrote:
>> I agree with your note, but I disagree with disabling guest access in the
>> sample configuration.  The reasoning is that we want new users to be able
>> to get Asterisk to work as easily as possible in the sample configuration.
>> Even if their SIP phone is not correctly configured with a password. they
>> should be able to operate the demo.  Once we start complicating the samples,
>> we run the risk of new users being unable to get over that initial hump and
>> losing interest, all because they become unable to get Asterisk to respond
>> with anything other than an error.
>
> I tend to agree with Tilghman here, and believe that the proper thing to
> do might be to put a note in extensions.conf (in the [default] context)
> stating that the user should be careful what they put in the [default]
> context, as unauthenticated calls go to that context by default.

That's good addition anyway, and don't forget extensions.ael and extensions.lua

However, how many users actually read all the comments in sample
config files? If You need to get something to work - you go and read
it, otherwise - why bother?

> In short, I'd rather have an educated user than an uneducated user who
> can't get Asterisk to work for them.

How educated would be user who can't set up username and password?

So, I agree that it could be changed in next major version.

Regards,
Atis

-- 
Atis Lezdins,
VoIP Project Manager / Developer,
IQ Labs Inc,
atis at iq-labs.net
Skype: atis.lezdins
Cell Phone: +371 28806004
Cell Phone: +1 800 7300689
Work phone: +1 800 7502835