Page 374 - Asterisk™: The Future of Telephony
P. 374

[sushi]
                   type=user
                   context=local_users
                   auth=md5,plaintext,rsa
                   secret=wasabi
                   transfer=no
                   jitterbuffer=yes
                   callerid="Happy Tempura" <(800) 555-1234>
                   accountcode=seaweed
                   deny=0.0.0.0/0.0.0.0
                   permit=192.168.1.100/255.255.255.0
                   language=en


                                           IAX Authentication
                  IAX provides authentication mechanisms to allow for a reasonable level of security
                  between endpoints. This does not mean that the audio information cannot be captured
                  and decoded, but it does mean that you can more carefully control who is allowed to
                  make connections to your system. Three levels of security are supported on IAX chan-
                  nels. The auth option defines which authentication method to use on the channel:
                  plaintext, md5, or rsa.

                  plaintext, in IAX, offers very little security. While it will prevent connection to the
                  channel unless a valid password is supplied, the fact that the password is stored in
                  iax.conf in plain text and is transmitted and received as plain text makes this a very
                  insecure authentication method.
                  md5 improves the security on the network connection; however, both ends still require
                  a plain-text secret in the iax.conf file. Here’s how it works: Box A requests a connection
                  with Box B, which in turn replies with an authorization request including a randomly
                  generated number. Box A then generates an MD5 hash using the value supplied in the
                  secret field of iax.conf and the random number from Box B. The hash is returned in
                  the authorization reply, and Box B compares it to the hash it generated locally. If the
                  hashes match, authorization is granted.
                  The rsa method provides the most security. Before using RSA authentication, each end
                  must create a public and private key pair through the astgenkey script, typically located
                  in /usr/src/asterisk/contrib/scripts/. The public key must then be given to the far end.
                  Each end of the circuit must include the public key of the far end in its channel defini-
                  tion, using the inkeys and outkey parameters.
                  RSA keys are stored in /var/lib/asterisk/keys/. Public keys are named name.pub; private
                  keys are named name.key. Private keys must be encrypted with 3DES.


               Incoming calls from this user will arrive in the context local_users and will ask the
               system to accept the Caller ID Happy Tempura <(800) 555-1234>. The system will be
               willing to accept MD5, plain-text, or RSA authentication from this user, so long as the
               password wasabi is provided and the call comes from the IP address 192.168.1.100. All
               calls related to this channel will be assigned the account code seaweed. Because we’ve


               346 | Appendix A: VoIP Channels
   369   370   371   372   373   374   375   376   377   378   379