Re: [asterisk-users] Secure passwords, was LDAP integration

2009-09-29 Thread Tilghman Lesher 
On Tuesday 29 September 2009 10:30:37 John A. Sullivan III wrote:
 Second, I believe we saw a way we could map the Asterisk password to the
 regular user password (it's been a while so I'm not sure about that) but
 were concerned about the problems of entering secure passwords from a
 phone keypad.  We enforce fairly secure passwords - at least nine
 characters with some variety of characters and encourage much longer
 passwords.  Having to enter lots of characters in both cases as well as
 symbols seemed difficult from a phone keypad.  Thus, we decided
 (reluctantly) to use separate simple passwords for phone access instead
 of the very secure passwords we use to data access.

I would hope that you're at least restricting your peers to be limited to a
set of IPs distinctive to your phones.  Otherwise, this is a recipe for
disaster, especially if a) your registration server is accessible externally,
and b) your phones are permitted to make toll calls, especially international
numbers.

Most good IP phones permit a method of configuration which does not require
typing a password into a keypad.  You should probably learn to use that method
or switch to a phone with that ability, then use secure passwords.  Phones are
just as important as data and should be supplied with complex passwords.

-- 
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com  www.asterisk.org

___
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

AstriCon 2009 - October 13 - 15 Phoenix, Arizona
Register Now: http://www.astricon.net

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Secure passwords, was LDAP integration

2009-09-29 Thread John A. Sullivan III 
On Tue, 2009-09-29 at 11:23 -0500, Tilghman Lesher wrote:
 On Tuesday 29 September 2009 10:30:37 John A. Sullivan III wrote:
  Second, I believe we saw a way we could map the Asterisk password to the
  regular user password (it's been a while so I'm not sure about that) but
  were concerned about the problems of entering secure passwords from a
  phone keypad.  We enforce fairly secure passwords - at least nine
  characters with some variety of characters and encourage much longer
  passwords.  Having to enter lots of characters in both cases as well as
  symbols seemed difficult from a phone keypad.  Thus, we decided
  (reluctantly) to use separate simple passwords for phone access instead
  of the very secure passwords we use to data access.
 
 I would hope that you're at least restricting your peers to be limited to a
 set of IPs distinctive to your phones.  Otherwise, this is a recipe for
 disaster, especially if a) your registration server is accessible externally,
 and b) your phones are permitted to make toll calls, especially international
 numbers.
 
 Most good IP phones permit a method of configuration which does not require
 typing a password into a keypad.  You should probably learn to use that method
 or switch to a phone with that ability, then use secure passwords.  Phones are
 just as important as data and should be supplied with complex passwords.
 
Thanks for the feedback.  Indeed, we do restrict the SIP domains and do
not allow registration from outside the internal network and we do use
passwords - just not as sophisticated.

Perhaps I am being overly conscious of client simplicity.  I was
thinking of the case where internal users might temporarily move to
another phone.  Rather than pulling up the web interface to the phone,
we wanted them to be able to register through the phone keypad.  I
suppose they would need to enter their IDs anyway and those are
alpha-numeric.  Thus, the entering passwords would be similar to
entering the IDs.  On the other hand, we do tend to use the same
registration password for voicemail and meetme and those are regularly
entered from the key pad.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsulli...@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


___
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

AstriCon 2009 - October 13 - 15 Phoenix, Arizona
Register Now: http://www.astricon.net

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users