Add Templating to iax.conf To Better Support Multiple Authenticated Clients #591
Conversation
Add templated users for iaxRpt clients.
Template user authentication for DVSwitch Mobile, Zoiper, and other clients (non-iaxRpt).
Adds requirecalltoken=no for iaxRpt connections, to allow the utility to connect. Templates the authentication for [iaxrpt] and [iaxclient] to allow easier user management by moving client authentication to separate files (rather than having to duplicate the context for each user added).
InterLinked1
left a comment
InterLinked1
left a comment
There was a problem hiding this comment.
I am against setting requirecalltoken=no without any other caveats. This is poor security advice and opens up systems to known vulnerabilities.
If you want to ensure that compatibility, I would restrict the number of non-validated calls using the approach for C*NET calls, here: https://github.com/InterLinked1/phreaknet-boilerplate/blob/master/iax.conf
|
Indeed, there is a security risk. However, if we're going to advertise/support its use, https://wiki.allstarlink.org/wiki/Setup/Download_IAXRpt , then Otherwise, you end up with the threads on the discussion forum like there are now, "Why can't iaxRpt connect to ASL3". Adding in a The other option would be to try and track down the source from Xeletec, and try and update it (I think that's more unlikely). |
Using |
Attempt to mitigate a DoS threat from adding requirecalltoken=no to support iaxRpt clients (since iaxRpt doesn't support call tokens). See http://www.asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/Security_id36001692.html
|
Committed More background on the potential DoS issue: http://www.asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/Security_id36001692.html |
Allan-N
left a comment
Allan-N
left a comment
There was a problem hiding this comment.
I'm not wild about the "an-clients" and "pc-clients" (and "an"/"pc") naming conventions mostly because I like to steer away from saying "this only applies to Android" or "this only applies to "PC"s. Maybe "iaxrpt-users" and "iaxclient-users"?
I'm also not wild about needing to have clients authenticate with usernames like <callsign>-an. Why not just <callsign> ?
The other comment I will make is that I've got some asl3-menu changes that will be adding files to [/etc/asterisk/]custom/rpt/*.conf, custom/simpleusb/*.conf, custom/usbradio/*.conf, etc. You might want to think about using the same convention (e.g. custom/iax/*.conf).
|
Changing the names of the credentials files to make them more agnostic isn't a big deal, I was just using the convention I've used on my systems. Same with moving them into The username authentication is a problem though if using just a callsign. The problem being if a user has an iaxRpt client and a DSVM client. You need to distinguish between the two accounts (clients), so that when the client tries to auth to Asterisk, the correct iax context and then extension is used. If you have a client in each user file with the same callsign (account), then Asterisk doesn't necessarily pick the correct context/extension (tested). Perhaps a -p for pc clients (iaxRpt) and -m for mobile clients? |
Rename pc-clients to iaxrpt-clients to better match the context in iax.conf.
Rename the client file to better match the context in iax.conf.
Put the client credential files in /etc/asterisk/custom/iax and rename them to better match the context names in iax.conf.
Sure. But, this is only an issue when one wants to configure two clients using the same name. Could the documentation "suggest" that one use their callsign and include a caveat that if you are setting up multiple clients that then account names need to be unique. Here, you can even suggest using names like "yourcall-DVSM". |
More documentation around naming contexts.
Add more documentation about unique context names for multiple types of clients.
|
Sure, reverted to just plain callsigns for the suggested context name, and added some documentation around unique context naming for multiple clients. |
|
Is this complete, then, but for the change request? What happened to @ve7fet ? |
It should be able to be merged. I believe everything was resolved that was outstanding. |
okcrum
dismissed
InterLinked1’s stale review
A compromise was reached to use maxcallnumbers_nonvalidated to store count
Allan-N
left a comment
Allan-N
left a comment
There was a problem hiding this comment.
Q? the iaxrpt-users.conf and iaxclient-users.conf files are currently in the "rpt" directory (that will land in /etc/asterisk). Did we want to move them down into "rpt/custom/iax" so that they will be picked up by the #tryinclude ?
Also, I ran into some issues with templating the gps.conf file (#622). Are configurations without the #tryinclude file (or a filled out file) supposed to work if someone just modifies the template (but leaves it as a template) ?
Scrolling back up to Mar 26 comments, the intent is to put those I did some testing with If I add the bang to template the instance: If I comment out the randomly generated With the So, yes, it appears to work ok as a single user, even if it is templated, but no template user file exists. How to handle all this with the installer script... I don't know how that all works. |
I agree. And, using
Great!
Sadly, the top-level asterisk "Makefile" looks to be simple minded. But, I should be able to move the custom/iax .conf files a bit deeper with our |
5 participants
This enhancement fixes the issue of iaxRpt clients not being able to connect by adding the
requirecalltoken = nooption to the[iaxrpt]context in/etc/asterisk/iax.conf.This enhancements implements templating for additional users to be easily added, without cluttering up
iax.confby having to copy/paste the same code block each time you want to add a new individual user (such as net control operators, each with their own callerid and account credentials).Users are stored in
/etc/asterisk/pc-clients.conf(for iaxRpt clients), and/etc/asterisk/an-clients.conffor Android (ie DVSwitch Mobile or Zoiper) clients. They CAN be moved in to a folder such as/etc/asterisk/custom/by changing the include directive, such as#tryinclude custom/pc-clients.conf. Making sure, of course, that said folder has the proper ownership and permissions (asterisk:asterisk).Adding new clients just requires duplicating the user authentication contexts, and adjusting account name (context), secret, and callerid, as required.