[Asterisk-Users] IAX2 authentication confusion (bug 1928)
Kevin P. Fleming
kpfleming at backtobasicsmgmt.com
Fri Jun 25 22:33:50 MST 2004
Andres wrote:
> I just tried this myself and it behaves as you have described it. No
> need to use a username. When the call comes in on the remote Asterisk,
> the iax.conf simply tries to match the password to any entry. The first
> entry with a matching password gets used. I suggest you open a bug to
> at least get this documented.
Done, as bug 1928, although the notes for 1458 imply that Mark is aware
of this issue and the code is not faulty... he wants it work this way.
Personally I cannot see the value in allowing completely anonymous IAX
connections, especially since they can connect as _any_ user you may
have specified in your iax.conf file by just guessing the password.
Granted, if your IAX users are on fixed IP addresses you can use
IP-based access control, and if you can use keys then that also solves
the problem even for users with dynamic IPs. However, I'd like to see
some explanation of why anonymous connections are allowed to iax.conf
user entries with secrets specified; at best, I would think that
anonymous connections should only be allowed to user entries with _no_
secret specified.
More information about the asterisk-users
mailing list