[asterisk-dev] [Code Review] SIP authentication support
Olle E. Johansson
oej at edvina.net
Wed Feb 13 01:45:18 CST 2013
11 feb 2013 kl. 14:37 skrev Joshua Colp <jcolp at digium.com>:
> Hans Witvliet wrote:
>> Perhaps a long shot, but why can't asterisk use use the authentication
>> methods already existing on systems?
>> Something like pam_asterisk ?
>> If possible, you could use anything (pwd, ldap, kerberos, pkcs11, ...)
>> Or do i over-simplify things...
> The discussion that Mark and Olle were having was referring to the authentication between the end device (a SIP phone for example) and the new SIP work within Asterisk. There are defined standards for doing that, that both have to implement.
> PAM is really for what you are authenticating against. IE: I want to authenticate using LDAP for my credentials. That has nothing to do with the actual communication with the end device. (Disclaimer: Depending on the actual PAM module in use this can be untrue.)
A problem with external authentication is that in most cases it's not compatible with MD5 digest. In order to calculate the actual digest, we need to have the secret in clear text. We can get that from LDAP or external systems, but that's not LDAP Authentication if you see the difference. In many of these solutions, I send the password and username that I got to an external authenticator and get "yes" or "no" back. We can not do that in MD5 digest.
More information about the asterisk-dev