[Asterisk-doc] IAX2 authentication
Philipp von Klitzing
asterisk-doc@lists.digium.com
Sat, 26 Jun 2004 18:25:50 +0200
Hi folks,
once again a little piece of information that deserves to be reflected in
the book. The initial problem discussed was/is that IAX performs
authentication *only* based upon password not looking at any username,
leaving (too) much room for brute-force pw attacks.
It'd be great if whoever is concerned with the IAX chapter could take
this on board in one way or another.
Ok, here the quote:
"Done, as bug 1928, although the notes for 1458 imply that Mark is aware
of this issue and the code is not faulty Mark's response to the bug
entered explained the situation fairly well, and I have updated the IAX2
wiki page with a note about this issue.
Basically, the simple solutions are:
- use only RSA keys for authentication (can't be guessed)
- use IP-based access control for any "type=user" entries in iax.conf
that would provide access to services that you don't want anonymous
users to be able to "steal"
- as a last resort, provide a "guest" user entry in iax.conf (no secret
specified), which goes to a limited context (possibly just
Congestion)... Asterisk will always choose this no-secret-specified user
entry first for any anonymous incoming IAX2 connections, without
proposing any kind of secret match/challenge with the caller"
Cheers, Philipp