[asterisk-dev] Plaintext auth support in IAX2

Eugene Varnavsky varnavruz at gmail.com
Mon Nov 4 02:21:35 CST 2013


I have opened a bug report (ASTERISK-22820) and submitted a patch, but, as
Michael L. Young suggested there, it worth to discuss the issue in this
mailing list first.

Starting from draft 2 of RFC 5456 (October 23, 2006) plaintext auth is
taken out from specifications of IAX2 protocol. Please refer to section
8.6.3 of RFC 5456. Reasons are obvious - it is very, very unsafe to send
plaintext passwords over the net.
But plaintext auth is still supported by Asterisk implementation of IAX2.

I propose number of solutions, from more to less radical. Choose one:

1. Remove plaintext auth support completely (patch does this)
2. Accept, but never send plaintext passwords
3. Accept and send plaintext passwords, but never use plaintext auth by
default (current defaults are MD5 first, plaintext second)
4. Declare plaintext auth deprecated, add warnings to logs and documentation

I will make a patch for any of these variants, based on what community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20131104/9208d22b/attachment.html>

More information about the asterisk-dev mailing list