On Wed, Feb 16, 2011 at 12:01:20AM +0100, Hans Witvliet wrote: > kept on reading the thread... > > Wouldn't it be better, for asterisk at least, to get rid of all this > identification / authentication stuff? > Keeping config files holding pain passwords or simple md5 isn't the way > to solve this... > > Within the unix world those issues have been solved over and over again. > Any chance that in 1.10 or scf we might be using something like pam?
This only helps if someone has to prove the identity to you. Not if you have to prove to someone else that you know the password. In the latter case you have to actually know the plain text password, one way or the other. (If you don't, then whatever it is you know, is something a remote attacker can use). The price for using a hashes in Unix is that passwords are sent over the wire. SASL and other chalange-response authentication algorithms assume you have a common secret. And thus the server has to know the plain text password (but it is not sent in clear over the wire). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users