[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Tue Nov 17 10:08:34 CST 2009
On Tue, Nov 17, 2009 at 04:25:32PM +0100, Kai Hoerner wrote:
> Tzafrir Cohen schrieb:
> > The problem is not guest users. The problem is unintended relays
> > from one trunk to another. If you unintentionally allow authenticated
> > incomming SIP calls to make outgoing paid calls[1].
> >
> > The basic tool Asterisk has for authorization[2] is dialplan contexts.
> >
> >
> > So, consider a sample context such as:
> >
> > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> >
> > [incoming]
> > ; A separate context for incoming calls:
> > ; We don't trust those callers, and thus only allow them the things they
> > ; really need:
> > include => demo
> > ; Make sure this context will not allow outgoing calls through a paid
> > ; trunk.
> >
> > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> >
> > We must remember that the sample dialplan is mostly documentation. There
> > are those who use it, but most people just write dialplan from scratch.
> >
> > [1] I use "paid calls" for the sake of clarity. It may be paid PSTN
> > calls, paid SIP calls, or maybe some unpaid calls you assume those
> > incling callers should not be able to do. For instance, a special
> > extension to switch between day-time and night-time.
> >
> > [2] don't mix authorization and authentication.
> >
> > I still don't agree. I believe that focusing on guests here misses the
>
> Hi Tzafrir,
>
> I do not see where i mixed up authorization and authentication.
That was a general comment, and I was not referring to anything specific
in the discussion.
>
> Authenticated users are not automatically authorized to use special
> extensions for dialout or internal day/night switches for example.
> That's where the contexts come into play. [2]
>
> Authenticated trunks/peers/friends/users should have a context
> specified, that authorizes them for the use of a set of extensions.
> If it is not specified, the "defaultcontext" in inherited, okay.
>
> I suggested an additional option like "guest_context" to seperate
> "unauthenticated" (guest) calls from "authenticated but maybe not
> authorized" (trunk) calls.
As per that comment, the dialplan is exatly about authrization. There
are no unauthorized actions in the dialplan[1].
You can set up an arbitrary variable at channel creation time (e.g.:
'setvar'.
Sounds like we could really use a dummy entry for the "guest user"[2]
in sip.conf . So you could set up context, extra variables, language and
whatever. This sounds so simple and obvoius, that there must be some
sound technical reasons why it won't work well.
> With the solution as-is, both of them end up in the default context.
>
> I do not understand how unintended relay applies at all to this topic.
> Isn't bad dialplan design a configuration issue?
This whole problem is about bad dialplan design. It is about beginners
not planning their dialplan well.
I want to allow random Joe SIP user call my phone. I consider this a
feature. This call takes out a bit of my bandwidth. But if this is a
problem, I can hang up.
I do not want Joe to call into my PBX and from there out through another
trunk.
>
> It is, but this difficulty can be aided by adding more control over what
> calls go into which context.
The dialplan already gives you good control.
>
>
> Regargs,
>
> Kaii
[1] Or rather: there maybe some actions that the sysadmin thinks are
unauthorized but sadly are authorized.
[2] If Olle doesn't kill it first.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-dev
mailing list