asterisk users - Sep 2003 - Using IAXTEL with RSA authentication. MD5 works, RSA not. [2]

[  Sorry, I incorrectly copied some Reference headers into this post
   and tacked it onto the wrong thread.   -Steve ]

So far, I have been able to receive incoming iaxtel calls via my
assigned 1-700-xxx-xxxx number, but only when using md5
authentication in iax.conf:

[iaxtel]
type=user                ; Incoming calls only
context=incoming
auth=md5
secret=<mysecret>        ; Required for MD5
inkeys=iaxtel

Where <mysecret> is my iaxtel password.  This works great.

If I use "auth=rsa", I can see the incoming connection attempt on
"iax2 debug", but the incoming call is ignored with no error messages
or dialed extensions.  (See below)

My iaxtel public key looks like this:

# ls -l /var/lib/asterisk/keys/iaxtel.pub 
   4 -rw-r--r--    1 root root 272 Sep 13 22:15
/var/lib/asterisk/keys/iaxtel.pub
# md5sum /var/lib/asterisk/keys/iaxtel.pub 
  d919b3ef03eb4dc54c8fee86bfeeada1  /var/lib/asterisk/keys/iaxtel.pub

I'm not sure where that key came from.  How do I get an updated public
key from iaxtel?  Is it automatic?  Do I also need a private key?  How
do I make one?  (I have none)

It's really not critical since md5 seems secure enough here, but I
thought I'd ask in case anyone else has run into this.  (I'd like to
eventually set up my own RSA IAX2 trunks.)


By the way, iaxtel and FWD is a great combo!  I have single phones out
on the internet using the fwdnat service and FWD server, since that's
the only thing that works behind some firewalls.  Those phones can
dial in to my own Asterisk (also behind NAT) via my 1-700 iaxtel
number.  This seems to be the best workaround for too-much-NAT.

Thanks,
-Steve

Here is the iax2 debug for a failed incoming call with RSA authentication:

IAX2 Debugging Enabled
Rx-Frame Retry[No] -- OSeqno: 000 ISeqno: 000 Type: IAX     Subclass: NEW    
   Timestamp: 00001ms  SCall: 00058  DCall: 00000 [12.37.165.130:4569]
   VERSION         : 2
   CALLED NUMBER   : s
   CALLING NUMBER  : 52285         *** my FWD number
   CALLING NAME    : Steve FWD     *** the caller-id name in the BudgeTone phone
   LANGUAGE        : en
   FORMAT          : 2
   CAPABILITY      : 2
   ADSICPE         : 2

Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX     Subclass: AUTHREQ
   Timestamp: 00001ms  SCall: 00002  DCall: 00058 [12.37.165.130:4569]
   AUTHMETHODS     : 4
   CHALLENGE       : 206606603
   USERNAME        : iaxtel

***  This challenge makes it look it starts right off with MD5 auth.   
***  I don't see anything RSA-looking.

Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: ACK    
   Timestamp: 00001ms  SCall: 00058  DCall: 00002 [12.37.165.130:4569]
Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: HANGUP 
   Timestamp: 07234ms  SCall: 00058  DCall: 00002 [12.37.165.130:4569]
Tx-Frame Retry[-01] -- OSeqno: 001 ISeqno: 002 Type: IAX     Subclass: ACK    
   Timestamp: 07234ms  SCall: 00002  DCall: 00058 [12.37.165.130:4569]

We use RSA to authenticate to you, but not hte other way around.  In order
to do RSA auth, we would need everyone's public key and you would have to
do an "init keys" at startup.

astgenkeys will make the key pairs.

Mark

On Tue, 16 Sep 2003, Steve Haehnichen wrote:
> [  Sorry, I incorrectly copied some Reference headers into this post
>    and tacked it onto the wrong thread.   -Steve ]
>
> So far, I have been able to receive incoming iaxtel calls via my
> assigned 1-700-xxx-xxxx number, but only when using md5
> authentication in iax.conf:
>
> [iaxtel]
> type=user                ; Incoming calls only
> context=incoming
> auth=md5
> secret=<mysecret>        ; Required for MD5
> inkeys=iaxtel
>
> Where <mysecret> is my iaxtel password.  This works great.
>
> If I use "auth=rsa", I can see the incoming connection attempt on
> "iax2 debug", but the incoming call is ignored with no error
messages
> or dialed extensions.  (See below)
>
> My iaxtel public key looks like this:
>
> # ls -l /var/lib/asterisk/keys/iaxtel.pub
>    4 -rw-r--r--    1 root root 272 Sep 13 22:15
/var/lib/asterisk/keys/iaxtel.pub
> # md5sum /var/lib/asterisk/keys/iaxtel.pub
>   d919b3ef03eb4dc54c8fee86bfeeada1  /var/lib/asterisk/keys/iaxtel.pub
>
> I'm not sure where that key came from.  How do I get an updated public
> key from iaxtel?  Is it automatic?  Do I also need a private key?  How
> do I make one?  (I have none)
>
> It's really not critical since md5 seems secure enough here, but I
> thought I'd ask in case anyone else has run into this.  (I'd like
to
> eventually set up my own RSA IAX2 trunks.)
>
>
> By the way, iaxtel and FWD is a great combo!  I have single phones out
> on the internet using the fwdnat service and FWD server, since that's
> the only thing that works behind some firewalls.  Those phones can
> dial in to my own Asterisk (also behind NAT) via my 1-700 iaxtel
> number.  This seems to be the best workaround for too-much-NAT.
>
> Thanks,
> -Steve
>
> Here is the iax2 debug for a failed incoming call with RSA authentication:
>
> IAX2 Debugging Enabled
> Rx-Frame Retry[No] -- OSeqno: 000 ISeqno: 000 Type: IAX     Subclass: NEW
>    Timestamp: 00001ms  SCall: 00058  DCall: 00000 [12.37.165.130:4569]
>    VERSION         : 2
>    CALLED NUMBER   : s
>    CALLING NUMBER  : 52285         *** my FWD number
>    CALLING NAME    : Steve FWD     *** the caller-id name in the BudgeTone
phone
>    LANGUAGE        : en
>    FORMAT          : 2
>    CAPABILITY      : 2
>    ADSICPE         : 2
>
> Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX     Subclass:
AUTHREQ
>    Timestamp: 00001ms  SCall: 00002  DCall: 00058 [12.37.165.130:4569]
>    AUTHMETHODS     : 4
>    CHALLENGE       : 206606603
>    USERNAME        : iaxtel
>
> ***  This challenge makes it look it starts right off with MD5 auth.
> ***  I don't see anything RSA-looking.
>
> Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: ACK
>    Timestamp: 00001ms  SCall: 00058  DCall: 00002 [12.37.165.130:4569]
> Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass:
HANGUP
>    Timestamp: 07234ms  SCall: 00058  DCall: 00002 [12.37.165.130:4569]
> Tx-Frame Retry[-01] -- OSeqno: 001 ISeqno: 002 Type: IAX     Subclass: ACK
>    Timestamp: 07234ms  SCall: 00002  DCall: 00058 [12.37.165.130:4569]
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
>