Encrypt voicemail password with Asterisk public key. Asterisk then decrypts the password and takes the hash of it and compares it with the hash stored in voicemail.conf. This way the real password is never stored in voicemail.conf and there is no way to know what the password is just by looking at the file.
--- Tzafrir Cohen <[EMAIL PROTECTED]> wrote: > On Tue, Nov 28, 2006 at 08:52:22AM -0800, jezzzz . > wrote: > > I was wondering if we could protect against both. > > Sending a password encrypted would protect against > > eavesdropping. Once the password has been > received, > > the hash of it is taken and compared with the hash > of > > the password saved, so it also takes care of a > local > > attacker. > > Send an encypted password? Encrypted how, exactly? > One common mistake is > to suggest to simply send the hash, as it is > encrypted. But this merely > makes the hash a "password equivalent": An > evesdroper can use the hash > to authenticate without knowing the password. > > > > > I could certainly use SSL/TLS, but that still > doesn't > > take care of a local attack to obtain the > passwords of > > the users. > > -- > Tzafrir Cohen ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
