On Wed, Feb 16, 2011 at 12:01:20AM +0100, Hans Witvliet wrote:
> kept on reading the thread...
>
> Wouldn't it be better, for asterisk at least, to get rid of all this
> identification / authentication stuff?
> Keeping config files holding pain passwords or simple md5 isn't the way
> to solve this...
>
> Within the unix world those issues have been solved over and over again.
> Any chance that in 1.10 or scf we might be using something like pam?
This only helps if someone has to prove the identity to you. Not if you
have to prove to someone else that you know the password. In the latter
case you have to actually know the plain text password, one way or the
other.
(If you don't, then whatever it is you know, is something a remote
attacker can use).
The price for using a hashes in Unix is that passwords are sent over
the wire. SASL and other chalange-response authentication algorithms
assume you have a common secret. And thus the server has to know the
plain text password (but it is not sent in clear over the wire).
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.co...@xorcom.com
+972-50-7952406 mailto:tzafrir.co...@xorcom.com
http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
