[asterisk-dev] Plaintext auth support in IAX2
Tilghman Lesher
tilghman at meg.abyt.es
Mon Nov 4 11:57:43 CST 2013
On Mon, Nov 4, 2013 at 11:10 AM, Matthew Jordan <mjordan at digium.com> wrote:
>
> On Mon, Nov 4, 2013 at 2:21 AM, Eugene Varnavsky <varnavruz at gmail.com>
> wrote:
>>
>> I propose number of solutions, from more to less radical. Choose one:
>>
>> 1. Remove plaintext auth support completely (patch does this)
>> 2. Accept, but never send plaintext passwords
>> 3. Accept and send plaintext passwords, but never use plaintext auth by
>> default (current defaults are MD5 first, plaintext second)
>> 4. Declare plaintext auth deprecated, add warnings to logs and
>> documentation
>>
>> I will make a patch for any of these variants, based on what community
>> decides.
>>
>
> Here's what I'd recommend:
>
> In Asterisk 12, patch chan_iax2 to emit a WARNING if auth=plaintext is used.
> That WARNING should tell a user that the option is deprecated.
>
> Additionally, add a note in UPGRADE that the plaintext option has been
> deprecated.
>
> In trunk (Asterisk 13), remove support for "plaintext". This means:
>
> If a user specified "plaintext", emit an ERROR and reject loading chan_iax2.
> Users should not be allowed to load the channel driver with an invalid
> configuration, and you don't want to "help them" with their authentication
> options.
> Remove support for plaintext authentication in the code.
> Add a note in UPGRADE that support for plaintext has been removed.
I would strongly recommend NOT removing support for this in Asterisk
13, but merely having the deprecation warning. This has the potential
to BREAK existing implementations, and thus, it needs a MUCH longer
deprecation interval before removing it entirely.
-Tilghman
More information about the asterisk-dev
mailing list