[Asterisk-Users] IAX2 authentication confusion
Kevin P. Fleming
kpfleming at backtobasicsmgmt.com
Fri Jun 25 10:10:43 MST 2004
Jeremy McNamara wrote:
> On the machine you wish to dial out, you have in your iax.conf:
>
> [peer]
> type=peer
> host=1.2.3.4
> secret=foo
>
> and in that same machine's extensions.conf you have something that looks
> like:
>
> Dial,IAX2/USER at peer/${EXTEN}
>
>
>
> Then on the 'peer' (other) machine you need:
>
> [USER]
> type=user
> context=incoming
> auth=md5
>
>
> which is cAsE SeNsITiVe. Plus you need the appropriate extension(s) in
> this (other) machine's extensions.conf.
I understand that, except that this succeeds even if the calling host's
Dial command does _not_ include the USER name at all!
> Have you bothered to study any of the documentation out there? Start
> here: http://www.voip-info.org/
Of course :-) I've spent the last month doing exactly that... But I
don't understand how Asterisk can authenticate an incoming IAX2 call
that does not include a USERNAME field (checked with iax2 debug turned
on). I have done it on my machine, and moved the shared "secret" to a
different entry in the receiving machine's iax.conf file, and the call
still succeeds, with the receiving Asterisk thinking that the caller is
now coming from that different entity.
In other words, somehow Asterisk is using _only_ the secret to identify
_and_ authenticate the caller. I don't have any problem putting all the
needed information on the calling systems (they will be under my
control); my concern is that on my receiving end unless I use IP-based
restrictions for callers anyone at all can connect if they can guess any
secret in my iax.conf file, not a valid username/secret pair.
More information about the asterisk-users
mailing list