Unpair the extension number from the registration username. One account for many extensions

Hello to all,
I am not an expert on Asterisk. Some concepts are not clear to me, and I am not completely clear.
Both for simplicity but also for security reasons, I would like to have the following configuration:

  • Accounts for SIP REGISTER
  • extension to define phones.

An account could authenticate itself from multiple phones.

In addition, the username of the account that is sent to the sip register could also be complex would increase the difficulty of an unauthorized REGISTER. Therefore, the attacker should guess the username (alphanumeric, instead of a banal internal number) and the password.

Is it possible to do that?

I miss the parameter username in pjsip, I thought it might help decouple number extension from authentication username.

Here is a sample:



But this does not work. To work username must be valid 2001.

Thanks for your help.

There is no username parameter in chan_sip. What used to be called username is now called defaultuser, and it is only used for outbound calls when registrations are incoming, and before any registration, so is rarely useful.

The official advice, although rarely obeyed, is that the user field in incoming SIP requests should not be the extension number, and that is how to get the improvement in security that you suggest.

The weakness of authorisation user (which I can be used as a match criterion in pjsip, as well, is that it is not sent in the initial INVITE.

Thank you for your reply.
But defualtuser can I use it in pjsip.con? However, does it have to match the extension number?
Could you explain better what you mean when you say:
The official advice, although rarely obeyed, is that the user field in incoming SIP requests should not be the extension number, and that is how to get the improvement in security that you suggest. "

So there is no way to have an account decoupled from the internal concept.

Thanks again.

Your terminology seems confused here. I think you are referring to having multiple endpoints having the same authentication parameters. This doesn’t sound very sensible, as compromising one phone will compromise all those with the same parameters.

chan_pjsip allows multiple phones to share an address of record, and multiple address of records to share an endpoint, which is where authentication is done.

The Asterisk core allows a many to many relationship between extensions and endpoints (and extensions are only meaningful for outbound calls, as they are dialplan constructs). WIth more work this can extend down to AORs and even individual registrants.

From a SIP protocol level and PJSIP configuration level it is supported, however each endpoint has to support the difference - and many don’t because it simplifies configuration. Many assume that the username you put in is used EVERYWHERE.

Using the same name is what many people do and is easiest, and provided your password is reasonably complex it’s generally fine. Other people also use things like fail2ban to firewall after failed authentication attempts.

Please explain what you think the parameter does, because I’m pretty sure that you misunderstand it; it is very frequently misunderstood.

I’m not sure if chan_pjsip supports the chan_sip concept, but if if does, I imagine it is done by having both literal contacts and max contacts settings in the type=aor section (generally there are some details of matching and authentication that are under documented, at least under Asterisk (I’m not sure if the pjproject documentation describes a clearer model of how REGISTER and REGISTER are matched, etc.

Hi @david551,
surely my lack of experience is probably confusing me.
I am trying to configure only two extensions. At the moment, the two extensions only need to communicate with each other.
The following questions came to me thinking about the security level.

I start with order my pjsip.conf is defined as follows:

type = transport
protocol = udp; udp, tcp, tls, ws, wss
bind = 15061

And then for the part of the two interiors:

type = endpoint
context = phoneintcall
disallow = all
allow = ulaw
auth = 2000-auth
aors = 2000

type = auth
auth_type = userpass
password = mysecret
username = 2000

type = aor
max_contacts = 10

type = endpoint
context = phoneintcall
disallow = all
allow = ulaw
auth = 2001-auth
aors = 2001

type = auth
auth_type = userpass
password = mysecret
username = 2001

type = aor
max_contacts = 10

In my file extension.conf
exten => 2XXX, 1, Dial (SIP / $ {EXTEN}, 20)
exten => 2XXX, 2, Hangup ()

I thought that username determined an account to register for associated extensions. This would be a great safety advantage but also great flexibility. With one account, I could register a desk phone and a mobile phone with different extensions simultaneously. I understand that with asterisk, it is not possible.

However, when the extensions I mentioned above try to connect, they get a Wrong password error.

So how should I think correctly of the username parameter regarding the definition of the context? [xxxx].
Will the register be username @ IP_ASTERISK and not XXXX @ IP_ASTERISK?

How can I decline an INVITE from an extension not previously registered?

I apologize, but I have little experience.

Thank you very much!

Definitely not the case in chan_sip. I’m not entirely sure how it is handled for inbound authentication in chan_pjsip.

2001 in pjsip.conf is not an extension. It is an endpoint. The security guidance document, which no-one seems to read, advises making this different form any associated extension number.

Look for the “Proper Device Naming” section (unfortunately not a named anchor, so I can’t directly link it).

This does complicate the dialplan, although you only need to use the explicit extension number or one line, and I think there is a function to get the hint dialstring, so that an double as the hint.

1 Like

You are using SIP which is for chan_SIP. You need to use PJSIP/2000.


I’d also add that there are spaces in a number of places which should not have them, although I’m not sure to what extent the parser tolerates them.

Thank you @david551 ,
conceptually, it seems to me that this is what I would like. But that my little knowledge did not allow me to realize. I’m still trying to understand. But then this is possible to achieve it with the formalism provided by pjsip_wizard.con?
I guess I have to use hints in both pjsip_wizard-conf and extensions.conf as well.
But the very useful link you gave me doesn’t specifically mention pjsip_wizard
Thank you so much!

Thank you!
it’s right!!

Most of the documentation is for the standard configuration files.

Hello @david551 ,
thanks for your feedback.
Using pjsip.conf I failed. I get error. The problem is that in extension.conf you have to somehow create a link between, for example, mac address and the extension number.
I will try to deepen.
Thank you very much.

Following is untested.

exten => 2000,hint,PJSIP/xxxxxxxx
exten => 2001,hint,PJSIP/yyyyyyyy
exten => _2XXX,1,Dial(${HINT(${EXTEN}@phoneintcall)}, 20)
exten => _2XXX,2,Hangup()


exten => 2000,1,Dial(PJSIP/xxxxxxx, 20)
exten => 2001,s,Dial(PJSIP/yyyyyyy, 20)
exten => _2XXX,n,Hangup ()

Fixed it, since you can’t pattern match without the _ in front.

Thanks. Also fixed a comma that I lost.

Thank you @david551 @BlazeStudios ,
You have both been very helpful. Before I start putting your teachings into practice in my pjsip.conf, I have a doubt.
Where do I declare the hint and how?
An endpoint will have to declare a hint to allow calling with the usual extension numbers. Am I wrong?

One last thing, but maybe I should open a new topic: after years of not using Asterisk, I managed to make it work in a very minimal way, and I’m happy. But there is something strange: I have my Asterisk installed on a Cloud server, and in the office, I have a software phone on my PC (connected via wifi) and a softphone on my mobile phone. If my mobile phone is connected via wifi, everything is OK, but if I connect to the 4G / 5G network, the phone on my PC hears correctly, but the mobile phone does not hear the audio transmitted by the desk phone. NAT problem? I don’t understand well. Taking a capture from my PC, I only see the RTP packets of my PC and not those of the phone. Sorry for this supplement.

Thank you very much!

It doesn’t have to. The suggestion about hints was that you may well want them, anyway, in order to support busy lamp fields on the phones, so you might as well use them to encode the lookup table. The second variant didn’t use any hints.

Hi @david551,
I’m sorry, I don’t think I understand.
For the second solution you refer to:

exten => 2000,1, Dial (PJSIP / xxxxxxx, 20)
exten => 2001, s, Dial (PJSIP / yyyyyyy, 20)
exten => _2XXX, n, Hangup ()

What do xxxx and yyyyyy mean? How do they tie in with pjsip configurations?

I would not like to declare all the interiors. I would like to use the notation
exten => _2XXX, 1, Dial (PJSIP / ???, 20)

Assuming that in pjsip it has:
type = endpoint
context = internal
disallow = all
allow = ulaw
aors = 6001
auth = authLOGICNAME
direct_media = no

type = aor
max_contacts = 3

type = auth
auth_type = userpass
password = 270870
username = LOGICNAME

How do I configure extension.conf?
How can I indicate that LOGICNAME is an extension (for example 2000) and wants to call the extension 2001?

I apologize very much and thank you so much.