res_pjsip.c: OPTIONS processing can now optionally skip authentication

ASTERISK-27477 #close

Change-Id: I68f6715bba92a525149e35d142a49377a34a1193

configs/samples/pjsip.conf.sample

@@ -927,6 +927,26 @@
                            ; happens to the call if verification fails; it's up to
                            ; you to determine what to do with the results.
                            ; (default: no)
+;allow_unauthenticated_options =
+                           ; By default, chan_pjsip will challenge an incoming
+                           ; OPTIONS request for authentication credentials just
+                           ; as it would an INVITE request. This is consistent
+                           ; with RFC 3261.
+                           ; There are many UAs that use an OPTIONS request as a
+                           ; "ping" and they expect a 200 response indicating that
+                           ; the remote party is up and running without a need to
+                           ; authenticate.
+                           ; Setting allow_unauthenticated_options to 'yes' will
+                           ; instruct chan_pjsip to skip the authentication step
+                           ; when it receives an OPTIONS request for this
+                           ; endpoint.
+                           ; There are security implications to enabling this
+                           ; setting as it can allow information disclosure to
+                           ; occur - specifically, if enabled, an external party
+                           ; could enumerate and find the endpoint name by
+                           ; sending OPTIONS requests and examining the
+                           ; responses.
+                           ; (default: no)
 
 ;==========================AUTH SECTION OPTIONS=========================
 ;[auth]