Summary:ASTERISK-01903: IAX connections without username from dynamic host allowed with only "secret"
Reporter:Kevin P. Fleming (kpfleming)Labels:
Date Opened:2004-06-26 00:46:18Date Closed:2011-06-07 14:05:00
Versions:Frequency of
Description:If I have a "type=user" entry in IAX.conf that does not have IP-based access control, anyone can connect as that user by only having to guess the "secret" associated with that user entry.

This is because IAX allows incoming connections without USERNAME specified (as documented in bug 1458), and will match entries using _solely_ the secret. Unless RSA keys are in use, this makes for a not-very-secure Asterisk system, if there are a large number of entries in iax.conf for hosts without fixed IP addresses.

I do not understand why Asterisk allows IAX connections without a USERNAME specified; to allow anonymous connections, "guest" should be good enough.
Comments:By: Mark Spencer (markster) 2004-06-26 01:03:54

This isn't a bug.  If no username is specified, the asterisk side will suggest one.  If unspecified it will select a username with the following priority

1) User with host access and no secret, and we pass the host access
2) User with no host access and no authentication required
3) User with host access and secret, and we pass the host access
4) User with no host access and authentication required

This is commented in the source code, perhaps it belongs in the wiki as well.

As you can see, all you need to do if you don't want it to pick a user with a secret is to create a guest account.