[Asterisk-Users] Using IAXTEL with RSA authentication. MD5 works, RSA not. [2]

Mark Spencer markster at digium.com
Tue Sep 16 21:27:03 MST 2003 

We use RSA to authenticate to you, but not hte other way around.  In order
to do RSA auth, we would need everyone's public key and you would have to
do an "init keys" at startup.

astgenkeys will make the key pairs.

Mark

On Tue, 16 Sep 2003, Steve Haehnichen wrote:

> [  Sorry, I incorrectly copied some Reference headers into this post
>    and tacked it onto the wrong thread.   -Steve ]
>
> So far, I have been able to receive incoming iaxtel calls via my
> assigned 1-700-xxx-xxxx number, but only when using md5
> authentication in iax.conf:
>
> [iaxtel]
> type=user                ; Incoming calls only
> context=incoming
> auth=md5
> secret=<mysecret>        ; Required for MD5
> inkeys=iaxtel
>
> Where <mysecret> is my iaxtel password.  This works great.
>
> If I use "auth=rsa", I can see the incoming connection attempt on
> "iax2 debug", but the incoming call is ignored with no error messages
> or dialed extensions.  (See below)
>
> My iaxtel public key looks like this:
>
> # ls -l /var/lib/asterisk/keys/iaxtel.pub
>    4 -rw-r--r--    1 root root 272 Sep 13 22:15 /var/lib/asterisk/keys/iaxtel.pub
> # md5sum /var/lib/asterisk/keys/iaxtel.pub
>   d919b3ef03eb4dc54c8fee86bfeeada1  /var/lib/asterisk/keys/iaxtel.pub
>
> I'm not sure where that key came from.  How do I get an updated public
> key from iaxtel?  Is it automatic?  Do I also need a private key?  How
> do I make one?  (I have none)
>
> It's really not critical since md5 seems secure enough here, but I
> thought I'd ask in case anyone else has run into this.  (I'd like to
> eventually set up my own RSA IAX2 trunks.)
>
>
> By the way, iaxtel and FWD is a great combo!  I have single phones out
> on the internet using the fwdnat service and FWD server, since that's
> the only thing that works behind some firewalls.  Those phones can
> dial in to my own Asterisk (also behind NAT) via my 1-700 iaxtel
> number.  This seems to be the best workaround for too-much-NAT.
>
> Thanks,
> -Steve
>
> Here is the iax2 debug for a failed incoming call with RSA authentication:
>
> IAX2 Debugging Enabled
> Rx-Frame Retry[No] -- OSeqno: 000 ISeqno: 000 Type: IAX     Subclass: NEW
>    Timestamp: 00001ms  SCall: 00058  DCall: 00000 [12.37.165.130:4569]
>    VERSION         : 2
>    CALLED NUMBER   : s
>    CALLING NUMBER  : 52285         *** my FWD number
>    CALLING NAME    : Steve FWD     *** the caller-id name in the BudgeTone phone
>    LANGUAGE        : en
>    FORMAT          : 2
>    CAPABILITY      : 2
>    ADSICPE         : 2
>
> Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX     Subclass: AUTHREQ
>    Timestamp: 00001ms  SCall: 00002  DCall: 00058 [12.37.165.130:4569]
>    AUTHMETHODS     : 4
>    CHALLENGE       : 206606603
>    USERNAME        : iaxtel
>
> ***  This challenge makes it look it starts right off with MD5 auth.
> ***  I don't see anything RSA-looking.
>
> Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: ACK
>    Timestamp: 00001ms  SCall: 00058  DCall: 00002 [12.37.165.130:4569]
> Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: HANGUP
>    Timestamp: 07234ms  SCall: 00058  DCall: 00002 [12.37.165.130:4569]
> Tx-Frame Retry[-01] -- OSeqno: 001 ISeqno: 002 Type: IAX     Subclass: ACK
>    Timestamp: 07234ms  SCall: 00002  DCall: 00058 [12.37.165.130:4569]
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list