[asterisk-users] asterisk sip peer/user matching methods forauthentication backwards?

Doug Meredith doug.meredith at skyridge.com
Thu Jan 4 10:22:54 MST 2007 

Hi,

 

I too have found this matching to be frustrating.  I would like it to
behave as you describe.

 

Doug

-- 

Doug Meredith

506-854-7997 ext. 801

________________________________

From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Damon
Estep
Sent: Thursday, January 04, 2007 1:50 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] asterisk sip peer/user matching methods
forauthentication backwards?

 

Take an example where there is two sip users defined in sip.conf as
follows;

 

[peer1]

Host=192.168.1.1

...

 

[peer2]

Host=dynamic

Secret=password

...

 

[Peer3]

Config not relevant

...

 

The intention is to accept calls from peer1 without authentication (ip
address authentication only), but require authentication from peer2

 

If by chance a SIP invite comes "From" peer2 at 192.168.1.1 (where the name
peer2 on the calling server coincidentally matches a defined sip user on
the called asterisk server)  "To" peer3 at asterisk_hostname, Asterisk will
attempt to authenticate the caller "peer2" rather than accepting the
call based on the fact that it came from a trusted Ip address defined
for peer1. Since peer1 is trusted it is not sending credentials and will
have its invite rejected with a 407 "proxy authentication required" when
it fails to authenticate as "peer2".

 

This logic seems backwards to me, the IP address should be matched
first, and if there is no statically defined user with that IP address
the username should be matched next. This would insure that all calls
from the trusted IP address are accepted regardless of whether there is
coincidently a SIP user with a matching name defined on the target
asterisk server.

 

So rather than looking for a match in this order;

 

1.	name portion of "From" URI in the invite ("host" in the URI
host at domain.com).
2.	ip address statically assigne for a user

 

it should look in this order;

 

1.	statically defined sip user ip addresses
2.	name portion of the "From" URI

 

Can anyone shed any light on this, or suggest a workaround so 407's are
not sent if the invite "from" header happens to have the same name
portion of the URI as a defined sip user on the target asterisk server ?

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20070104/5d0dcd48/attachment.htm

More information about the asterisk-users mailing list