[Asterisk-Users] IAX2 authentication confusion

Kevin P. Fleming kpfleming at backtobasicsmgmt.com
Fri Jun 25 07:55:50 MST 2004


We spent some time yesterday trying to understand how IAX2 
authentication works, and now I'm confused...

Let's say that the receiving end has this entry in their iax.conf file:

[remote-site]
type=user
secret=foo
auth=md5
context=incoming
host=dynamic

The way I see it, there are two ways to initiate an outbound IAX2 
connection to this system:

1) Use Dial, as in:

Dial(IAX2/remote-site:foo at local-site.domain.com/extension)

In this mode, the IAX2 setup message contains a USERNAME 
("remote-site"), and the receiving system compares it to the entity name 
in iax.conf, before comparing the secret. This is fine.

2) Use Dial and iax.conf, as in:

Dial(IAX2/local-site/extension)

and in remote-site's iax.conf:

[local-site]
type=peer
secret=foo
auth=md5
host=local-site.domain.com

In this mode, the IAX2 setup message _does not_ contain a USERNAME, and 
the receiving system somehow manages to find the proper entry and 
authenticate the connection.

However, the only way that I could see that this would be possible is 
that the receiving system is comparing the supplied "secret" against all 
secrets in it's iax.conf file to try to find a match. I don't know how 
that is possible using md5 authentication, but even if it is, I don't 
particularly like it. That means someone can connect to my Asterisk 
server over IAX if they can guess _any_ secret that happens to be in my 
iax.conf file.

I really would prefer to not embed the username/password information in 
my Dial commands (that way it doesn't have to be duplicated in multiple 
contexts, and it's more logically stored in iax.conf anyway), but unless 
I do that Asterisk does not send a USERNAME to the receiving server and 
thus the authentication is not very secure.

Is there a reason why Asterisk allows incoming IAX2 calls without 
USERNAME specified at all?



More information about the asterisk-users mailing list