Summary:ASTERISK-21666: patch to implement match_auth_username option(sip.conf) for SIP REGISTER
Reporter:Wolfgang Pichler (wuwu)Labels:patch
Date Opened:2013-04-22 22:27:28Date Closed:
Versions:11.3.0 13.18.4 Frequency of
Environment:centos 6, 64 bitAttachments:( 0) auth_username_match.diff
Description:i have taken a look at the match_auth_username option in sip.conf - and in the chan_sip.c implementation.

chan_sip does implement the username check in the Authorization header for subscribes and invites and so on - but not for REGISTER.

Why is that so ? That does not make sense for me.

I have patched the register function in chan_sip - so it now does also accept the username in the authorization header. Does work as expected - and does solve some little "not that nice name on display" problems...
Comments:By: Walter Doekes (wdoekes) 2013-04-23 03:54:59.549-0500

(1) Can you elaborate on the "not that nice name on display" problem?

(2) Technically it'd be wrong to use the auth username to match the peer. After all, in theory should be possible to use auth token X to register peer location Y and Z. With that flag enabled, you'd silently ignore a request to register Y and be registering X instead.

If it does solve a real world problem (see (1)), it might be useful. But I wouldn't want it enabled whenever match_auth_username is enabled.


I'm assuming you're waiting for your license to get approved so you can post your patch. RFEs without a patch get closed.

By: Wolfgang Pichler (wuwu) 2013-04-23 07:09:47.728-0500

about (1): I have seen it on a bigger setup for a customer, which does use snom phones. Our setup does generate random sip peers for every snom phone (for security reason we do not use a extension=username mapping). To be able to register the snom phones with asterisk - you have to specifiy the auth user in the from tag. But with this - you will get the these account name when redirecting a call to an other phone.

Beside of that - i think when there is an option match_auth_username - then it should get applied to all parts - not only some parts. In my opinion there are two options here - remove it complete - or add it also to the SIP REGISTER method.

about (2): This would require that asterisk does distinguish between the authentication object - and the peer object. So it would also be possible to register with the same authentication object different phones on different locations - this would really be fine...

I will attach the diff now - i do already have a license - but forgot to attach it - sorry

By: Rusty Newton (rnewton) 2013-04-24 15:05:08.256-0500

Wolfgang, if you haven't already, since this the right approach for this may not be easily agreed upon by everyone you probably want to bring this bug/feature up for discussion on the asterisk-dev list. I'm sure others will want to weigh in.