[asterisk-dev] Plaintext auth support in IAX2
Tilghman Lesher
tilghman at meg.abyt.es
Mon Nov 4 11:55:21 CST 2013
On Mon, Nov 4, 2013 at 11:10 AM, Matthew Jordan <mjordan at digium.com> wrote:
>
> On Mon, Nov 4, 2013 at 2:21 AM, Eugene Varnavsky <varnavruz at gmail.com>
> wrote:
>> I propose number of solutions, from more to less radical. Choose one:
>>
>> 1. Remove plaintext auth support completely (patch does this)
>> 2. Accept, but never send plaintext passwords
>> 3. Accept and send plaintext passwords, but never use plaintext auth by
>> default (current defaults are MD5 first, plaintext second)
>> 4. Declare plaintext auth deprecated, add warnings to logs and
>> documentation
>>
>> I will make a patch for any of these variants, based on what community
>> decides.
>>
>
> Here's what I'd recommend:
>
> In Asterisk 12, patch chan_iax2 to emit a WARNING if auth=plaintext is used.
> That WARNING should tell a user that the option is deprecated.
>
> Additionally, add a note in UPGRADE that the plaintext option has been
> deprecated.
>
> In trunk (Asterisk 13), remove support for "plaintext". This means:
>
> If a user specified "plaintext", emit an ERROR and reject loading chan_iax2.
> Users should not be allowed to load the channel driver with an invalid
> configuration, and you don't want to "help them" with their authentication
> options.
> Remove support for plaintext authentication in the code.
> Add a note in UPGRADE that support for plaintext has been removed.
>
> Matt
>
> --
> Matthew Jordan
> Digium, Inc. | Engineering Manager
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> Check us out at: http://digium.com & http://asterisk.org
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
More information about the asterisk-dev
mailing list