On Wed, Feb 16, 2011 at 12:01:20AM +0100, Hans Witvliet wrote:
kept on reading the thread...
Wouldn't it be better, for asterisk at least, to get rid of all this
identification / authentication stuff?
Keeping config files holding pain passwords or simple md5 isn't the way
to solve this...
On Tue, Feb 15, 2011 at 11:51:26PM +0100, Hans Witvliet wrote:
On Tue, 2011-02-15 at 07:18 -0500, Richard Kenner wrote:
Anyway, the answer is: No, it's mathematically impossible to do
that. Even if the passwords were stored encrypted, Asterisk itself
has to be able to get the plaintext
On 02/15/2011 06:08 PM, Jian Gao wrote:
How about encrypt the whole hard drive?
If I built a server and give to other people, there is no easy way to
stop them reset the root password or just mount my drive to read
everything on it. But if build an encrypt OS then it will be secure. My
question
ken...@gnat.com (Richard Kenner) writes:
Here's a possible design:
- There's optionally a file in the config
directory called master_key. It contains just a string.
- A CLI command core encrypt string is added to Asterisk. It takes the
provided string, encrypts it using the string in
- The config file reader looks for strings of the form {enc:string}:
and replaces them, before otherwise parsing the line, with the decrypted
version of the string using the key in the master_key file.
This sounds pretty reasonable, except perhaps that you might only want
to convert
-Commercial Discussion
Subject: Re: [asterisk-users] Hide the plain text password
Security through obscurity does not work with open source software.
What a bold statement, are you telling me it works with closed source
software? :P
I love this, here you go, security through obscurity at its
Anyway, the answer is: No, it's mathematically impossible to do
that. Even if the passwords were stored encrypted, Asterisk itself
has to be able to get the plaintext passwords to send to the remote
server; so the code to decrypt them must necessarily be located on
the machine. And the
On 02/15/2011 06:18 AM, Richard Kenner wrote:
Anyway, the answer is: No, it's mathematically impossible to do
that. Even if the passwords were stored encrypted, Asterisk itself
has to be able to get the plaintext passwords to send to the remote
server; so the code to decrypt them must
On Tue, Feb 15, 2011 at 07:18:08AM -0500, Richard Kenner wrote:
Anyway, the answer is: No, it's mathematically impossible to do
that. Even if the passwords were stored encrypted, Asterisk itself
has to be able to get the plaintext passwords to send to the remote
server; so the code to
How does that improve things? The reason that works with Cisco routers
is because the code that reads that special key file and uses it to
decrypt the other files is closed-source; nobody can see how it works.
As another poster said, that's not true for Asterisk. If Asterisk had
such a
Right. But it really won't help much (except complicating things) if the
user has decent access to Asterisk.
Yes, but we're talking about cases where the user *doesn't* have access
to Asterisk. At many locations, including mine, Asterisk runs on a
machine dedicated for that purpose and only
On Tue, Feb 15, 2011 at 07:54:54AM -0500, Richard Kenner wrote:
Right. But it really won't help much (except complicating things) if the
user has decent access to Asterisk.
Yes, but we're talking about cases where the user *doesn't* have access
to Asterisk. At many locations, including
#include the password (a file the line 'secret=') from a local file on
the file system. The user has no access to it, right?
Right, but we're not talking ONE password, but ANY password. Having
dozens of those files, one for each password, gets to be a real pain
really fast. And you STILL want
On 15 Feb 2011, at 13:17, Richard Kenner wrote:
Of course not! It would be useless if that were the case: the whole
point here would be that you need the master encryption key.
Here's a possible design:
- There's optionally a file in the config
directory called master_key. It contains
On Tue, Feb 15, 2011 at 08:17:20AM -0500, Richard Kenner wrote:
#include the password (a file the line 'secret=') from a local file on
the file system. The user has no access to it, right?
Right, but we're not talking ONE password, but ANY password. Having
dozens of those files, one for
Security through obscurity does not work with open source software.
What a bold statement, are you telling me it works with closed source
software? :P
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of C F
Sent: Tuesday, February 15, 2011 9:29 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Hide the plain text password
On 02/15/2011 09:29 AM, C F wrote:
Security through obscurity does not work with open source software.
What a bold statement, are you telling me it works with closed source
software? :P
Depends on your definition of 'works' I guess :-)
With closed source software, it takes rather longer
On Tue, 2011-02-15 at 07:18 -0500, Richard Kenner wrote:
Anyway, the answer is: No, it's mathematically impossible to do
that. Even if the passwords were stored encrypted, Asterisk itself
has to be able to get the plaintext passwords to send to the remote
server; so the code to decrypt
kept on reading the thread...
Wouldn't it be better, for asterisk at least, to get rid of all this
identification / authentication stuff?
Keeping config files holding pain passwords or simple md5 isn't the way
to solve this...
Within the unix world those issues have been solved over and over
How about encrypt the whole hard drive?
If I built a server and give to other people, there is no easy way to
stop them reset the root password or just mount my drive to read
everything on it. But if build an encrypt OS then it will be secure. My
question here are: 1Is this against Asterisk
How about encrypt the whole hard drive?
If I built a server and give to other people, there is no easy way to
stop them reset the root password or just mount my drive to read
everything on it. But if build an encrypt OS then it will be secure.
It will be more secure. However, you
Now in my asterisk config files, there are lines like:
secret=some_password_in_plain_text
Is it possible to hide these plain text password?
--
*Jian *
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
On 2/14/2011 4:36 PM, Jian Gao wrote:
Now in my asterisk config files, there are lines like:
secret=some_password_in_plain_text
Is it possible to hide these plain text password?
I think 'md5secret' is what you're looking for.
http://www.voip-info.org/wiki/view/Asterisk+sip+md5secret
--
On 02/14/2011 03:36 PM, Jian Gao wrote:
Now in my asterisk config files, there are lines like:
secret=some_password_in_plain_text
Is it possible to hide these plain text password?
Who are you hiding them from? Anyone with access to the Asterisk server
can already do far more damage than
On Mon, Feb 14, 2011 at 6:46 PM, Kevin P. Fleming kpflem...@digium.com wrote:
On 02/14/2011 03:36 PM, Jian Gao wrote:
Now in my asterisk config files, there are lines like:
secret=some_password_in_plain_text
Is it possible to hide these plain text password?
Who are you hiding them from?
-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Jeremy Kister
Sent: Monday, February 14, 2011 3:44 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Hide the plain text
I am building a server for a client. I want them to try out the new
Google Voice feature using my GV account. But I don't want expose my
GV's password.
*Jian *
On 11-02-14 01:46 PM, Kevin P. Fleming wrote:
On 02/14/2011 03:36 PM, Jian Gao wrote:
Now in my asterisk config files, there are
On 02/14/2011 04:08 PM, Jian Gao wrote:
I am building a server for a client. I want them to try out the new
Google Voice feature using my GV account. But I don't want expose my
GV's password.
There is no method to obscure a Google Voice password in the config
file. chan_sip supports obscured
Who are you hiding them from? Anyone with access to the Asterisk server
can already do far more damage than extracting these passwords.
You may (like we do) want to store config files in a version control system
in a common repository. People who have access to that repository don't
necessary
On 11-02-14 05:10 PM, Kevin P. Fleming wrote:
On 02/14/2011 04:08 PM, Jian Gao wrote:
I am building a server for a client. I want them to try out the new
Google Voice feature using my GV account. But I don't want expose my
GV's password.
There is no method to obscure a Google Voice password
On 11-02-14 05:08 PM, Jian Gao wrote:
I am building a server for a client. I want them to try out the new Google Voice
feature using my GV account. But I don't want expose my GV's password.
Actually in this case, your best bet is just going to be to create a separate
account where you don't
32 matches
Mail list logo