Re: [asterisk-users] Secure passwords, was LDAP integration

2009-09-29 Thread John A. Sullivan III
On Tue, 2009-09-29 at 11:23 -0500, Tilghman Lesher wrote:
> On Tuesday 29 September 2009 10:30:37 John A. Sullivan III wrote:
> > Second, I believe we saw a way we could map the Asterisk password to the
> > regular user password (it's been a while so I'm not sure about that) but
> > were concerned about the problems of entering secure passwords from a
> > phone keypad.  We enforce fairly secure passwords - at least nine
> > characters with some variety of characters and encourage much longer
> > passwords.  Having to enter lots of characters in both cases as well as
> > symbols seemed difficult from a phone keypad.  Thus, we decided
> > (reluctantly) to use separate simple passwords for phone access instead
> > of the very secure passwords we use to data access.
> 
> I would hope that you're at least restricting your peers to be limited to a
> set of IPs distinctive to your phones.  Otherwise, this is a recipe for
> disaster, especially if a) your registration server is accessible externally,
> and b) your phones are permitted to make toll calls, especially international
> numbers.
> 
> Most good IP phones permit a method of configuration which does not require
> typing a password into a keypad.  You should probably learn to use that method
> or switch to a phone with that ability, then use secure passwords.  Phones are
> just as important as data and should be supplied with complex passwords.
> 
Thanks for the feedback.  Indeed, we do restrict the SIP domains and do
not allow registration from outside the internal network and we do use
passwords - just not as sophisticated.

Perhaps I am being overly conscious of client simplicity.  I was
thinking of the case where internal users might temporarily move to
another phone.  Rather than pulling up the web interface to the phone,
we wanted them to be able to register through the phone keypad.  I
suppose they would need to enter their IDs anyway and those are
alpha-numeric.  Thus, the entering passwords would be similar to
entering the IDs.  On the other hand, we do tend to use the same
registration password for voicemail and meetme and those are regularly
entered from the key pad.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsulli...@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


___
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

AstriCon 2009 - October 13 - 15 Phoenix, Arizona
Register Now: http://www.astricon.net

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] Secure passwords, was LDAP integration

2009-09-29 Thread Tilghman Lesher
On Tuesday 29 September 2009 10:30:37 John A. Sullivan III wrote:
> Second, I believe we saw a way we could map the Asterisk password to the
> regular user password (it's been a while so I'm not sure about that) but
> were concerned about the problems of entering secure passwords from a
> phone keypad.  We enforce fairly secure passwords - at least nine
> characters with some variety of characters and encourage much longer
> passwords.  Having to enter lots of characters in both cases as well as
> symbols seemed difficult from a phone keypad.  Thus, we decided
> (reluctantly) to use separate simple passwords for phone access instead
> of the very secure passwords we use to data access.

I would hope that you're at least restricting your peers to be limited to a
set of IPs distinctive to your phones.  Otherwise, this is a recipe for
disaster, especially if a) your registration server is accessible externally,
and b) your phones are permitted to make toll calls, especially international
numbers.

Most good IP phones permit a method of configuration which does not require
typing a password into a keypad.  You should probably learn to use that method
or switch to a phone with that ability, then use secure passwords.  Phones are
just as important as data and should be supplied with complex passwords.

-- 
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org

___
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

AstriCon 2009 - October 13 - 15 Phoenix, Arizona
Register Now: http://www.astricon.net

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users