subject:"\[SR\-Users\] DBURL password in clear"

Re: [SR-Users] DBURL password in clear

2017-12-01 Thread Daniel-Constantin Mierla

Hello,


On 30.11.17 21:39, Robert wrote:
> Hello Daniel,
>
> Sincere apologies for the tardy reply! There are lots of challenges
> I’ll face, but fortunately I only need to secure the application, it
> is for others to worry about preventing platform access etc. (but on
> the hardened OS, I’d be amazed if gdb was available ;).
kamailio is usually started as root to read protected files like
kamailio.cfg as well as create control files/sockets and then switches
to unprivileged user (e.g., kamailio). If one gets the root, installing
gdb or other tools won't be a big deal ...

Cheers,
Daniel

>
> The -f - solution may be what is the best approach.
>
> Thank you.
>
> Robert.
>
>> On 17 Nov 2017, at 10:24, Daniel-Constantin Mierla > > wrote:
>>
>> Hello,
>>
>> just remembered that a while ago I added support for the config file
>> name '-' (dash/minus char) which means kamailio reads the config from
>> standard input. This can be used to direct content of the
>> kamailio.cfg from a safe system. For example, if one stores the
>> config file on a web server, can do:
>>
>> curl https://myserver.com/kamailio.cfg | kamailio -f -
>>
>> It can be a webserver asking for password.
>>
>> In the context of keeping it encrypted, there can be a tool that
>> fetches and decrypts kamailio.cfg content and prints it to the
>> standard output.
>>
>> Using this, not even kamailio.cfg needs to be saved on the local disc.
>>
>> On the other hand, as I said in a previous response, if an untrusted
>> person gets access with root privileges, then it can attach to a
>> running kamailio process with gdb and read from memory.
>>
>> Cheers,
>> Daniel
>>
>>
>> On 17.11.17 08:02, Jurijs Ivolga wrote:
>>> Hi Robert,
>>>
>>> I'm not security expert and I'm quite new in docker, but I think
>>> password in Docker container which will be in clear text saved
>>> somewhere should not be a problem, as far as you do not save this
>>> password to image or git and etc...
>>>
>>> I think best way for you is to use docker secret and generate then
>>> config file for Kamailio using this docker secrets and then start
>>> Kamailio and for all of this you need to write some kind of
>>> Entrypoint script. Here is example how something similar do Homer
>>> Sipcapture, they set environment variables in docker-compose and
>>> then generate config file based on this, but you can use probably
>>> docker secrets instead of environment variables:
>>>
>>> https://github.com/sipcapture/homer-docker/tree/master/kamailio
>>>
>>> I found one more interesting link regarding docker secrets:
>>>
>>> https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/
>>>
>>> With kind regards,
>>>
>>> Jurijs
>>>
>>> On Thu, Nov 16, 2017 at 11:58 PM, Robert >> > wrote:
>>>
>>> That’d presumably leave the clear text footprint I'm trying to
>>> avoid, albeit in a non-Kamailio file. I’ve made a start on an
>>> approach to read from a file, Docker secrets are basically just
>>> files, but the Docker platform handles them securely.
>>>
>>> Thanks - Robert...
>>>
>>> > On 16 Nov 2017, at 21:46, Bastian Triller
>>> >
>>> wrote:
>>> >
>>> > isn't using a group in the db URL an option? Generate some .cnf in
>>> > /etc/mysql/conf.d (or where MySQL searches its configuration in a
>>> > Docker container) from the secret and use the group in your db
>>> URL in
>>> > kamailio.cfg.
>>> >
>>> >
>>> http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
>>> 
>>> 
>>> > 97212
>>>
>>>
>>> ___
>>> Kamailio (SER) - Users Mailing List
>>> sr-users@lists.kamailio.org 
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>> 
>>>
>>>
>>>
>>>
>>> ___
>>> Kamailio (SER) - Users Mailing List
>>> sr-users@lists.kamailio.org
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>> -- 
>> Daniel-Constantin Mierla
>> www.twitter.com/miconda -- www.linkedin.com/in/miconda
>> Kamailio Advanced Training - www.asipto.com
>> Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com
>> ___
>> Kamailio (SER) - Users Mailing List
>> sr-users@lists.kamailio.org 
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com

___

Re: [SR-Users] DBURL password in clear

2017-11-30 Thread Robert

Hello Daniel,

Sincere apologies for the tardy reply! There are lots of challenges I’ll face, 
but fortunately I only need to secure the application, it is for others to 
worry about preventing platform access etc. (but on the hardened OS, I’d be 
amazed if gdb was available ;).

The -f - solution may be what is the best approach.

Thank you.

Robert.

> On 17 Nov 2017, at 10:24, Daniel-Constantin Mierla  wrote:
> 
> Hello,
> 
> just remembered that a while ago I added support for the config file name '-' 
> (dash/minus char) which means kamailio reads the config from standard input. 
> This can be used to direct content of the kamailio.cfg from a safe system. 
> For example, if one stores the config file on a web server, can do:
> 
> curl https://myserver.com/kamailio.cfg  | 
> kamailio -f -
> 
> It can be a webserver asking for password.
> 
> In the context of keeping it encrypted, there can be a tool that fetches and 
> decrypts kamailio.cfg content and prints it to the standard output.
> 
> Using this, not even kamailio.cfg needs to be saved on the local disc.
> 
> On the other hand, as I said in a previous response, if an untrusted person 
> gets access with root privileges, then it can attach to a running kamailio 
> process with gdb and read from memory.
> 
> Cheers,
> Daniel
> 
> On 17.11.17 08:02, Jurijs Ivolga wrote:
>> Hi Robert,
>> 
>> I'm not security expert and I'm quite new in docker, but I think password in 
>> Docker container which will be in clear text saved somewhere should not be a 
>> problem, as far as you do not save this password to image or git and etc...
>> 
>> I think best way for you is to use docker secret and generate then config 
>> file for Kamailio using this docker secrets and then start Kamailio and for 
>> all of this you need to write some kind of Entrypoint script. Here is 
>> example how something similar do Homer Sipcapture, they set environment 
>> variables in docker-compose and then generate config file based on this, but 
>> you can use probably docker secrets instead of environment variables:
>> 
>> https://github.com/sipcapture/homer-docker/tree/master/kamailio 
>> 
>> 
>> I found one more interesting link regarding docker secrets:
>> 
>> https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/ 
>> 
>> 
>> With kind regards,
>> 
>> Jurijs
>> 
>> On Thu, Nov 16, 2017 at 11:58 PM, Robert > > wrote:
>> That’d presumably leave the clear text footprint I'm trying to avoid, albeit 
>> in a non-Kamailio file. I’ve made a start on an approach to read from a 
>> file, Docker secrets are basically just files, but the Docker platform 
>> handles them securely.
>> 
>> Thanks - Robert...
>> 
>> > On 16 Nov 2017, at 21:46, Bastian Triller > > > wrote:
>> >
>> > isn't using a group in the db URL an option? Generate some .cnf in
>> > /etc/mysql/conf.d (or where MySQL searches its configuration in a
>> > Docker container) from the secret and use the group in your db URL in
>> > kamailio.cfg.
>> >
>> > http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419 
>> > 
>> > 97212
>> 
>> 
>> ___
>> Kamailio (SER) - Users Mailing List
>> sr-users@lists.kamailio.org 
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users 
>> 
>> 
>> 
>> 
>> ___
>> Kamailio (SER) - Users Mailing List
>> sr-users@lists.kamailio.org 
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users 
>> 
> 
> -- 
> Daniel-Constantin Mierla
> www.twitter.com/miconda  -- 
> www.linkedin.com/in/miconda 
> Kamailio Advanced Training - www.asipto.com 
> Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com 
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] DBURL password in clear

2017-11-17 Thread Daniel-Constantin Mierla

Hello,

just remembered that a while ago I added support for the config file
name '-' (dash/minus char) which means kamailio reads the config from
standard input. This can be used to direct content of the kamailio.cfg
from a safe system. For example, if one stores the config file on a web
server, can do:

curl https://myserver.com/kamailio.cfg | kamailio -f -

It can be a webserver asking for password.

In the context of keeping it encrypted, there can be a tool that fetches
and decrypts kamailio.cfg content and prints it to the standard output.

Using this, not even kamailio.cfg needs to be saved on the local disc.

On the other hand, as I said in a previous response, if an untrusted
person gets access with root privileges, then it can attach to a running
kamailio process with gdb and read from memory.

Cheers,
Daniel


On 17.11.17 08:02, Jurijs Ivolga wrote:
> Hi Robert,
>
> I'm not security expert and I'm quite new in docker, but I think
> password in Docker container which will be in clear text saved
> somewhere should not be a problem, as far as you do not save this
> password to image or git and etc...
>
> I think best way for you is to use docker secret and generate then
> config file for Kamailio using this docker secrets and then start
> Kamailio and for all of this you need to write some kind of Entrypoint
> script. Here is example how something similar do Homer Sipcapture,
> they set environment variables in docker-compose and then generate
> config file based on this, but you can use probably docker secrets
> instead of environment variables:
>
> https://github.com/sipcapture/homer-docker/tree/master/kamailio
>
> I found one more interesting link regarding docker secrets:
>
> https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/
>
> With kind regards,
>
> Jurijs
>
> On Thu, Nov 16, 2017 at 11:58 PM, Robert  > wrote:
>
> That’d presumably leave the clear text footprint I'm trying to
> avoid, albeit in a non-Kamailio file. I’ve made a start on an
> approach to read from a file, Docker secrets are basically just
> files, but the Docker platform handles them securely.
>
> Thanks - Robert...
>
> > On 16 Nov 2017, at 21:46, Bastian Triller
> > wrote:
> >
> > isn't using a group in the db URL an option? Generate some .cnf in
> > /etc/mysql/conf.d (or where MySQL searches its configuration in a
> > Docker container) from the secret and use the group in your db
> URL in
> > kamailio.cfg.
> >
> >
> http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
> 
> > 97212
>
>
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org 
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> 
>
>
>
>
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com

___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] DBURL password in clear

2017-11-17 Thread Daniel-Constantin Mierla



On 16.11.17 10:34, Daniel Tryba wrote:
> On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
>>> I???m working for a UK high street bank and our Kamailio implementation has 
>>> been challenged because we???ve got database passwords held in clear in the 
>>> configuration file.
> ...
>>> My requirement is simple, I need to be able to supply a password via means 
>>> such as loading a variable from a run-once script at start up, or a module. 
>>> The ideal would be to be able to read in a Docker secret :)
>>>
>> you can define a for a token to be used inside kamailio.cfg by using -A
>> command line parameter. So when you start kamailio, fetch the password
>> from your secure system by what so ever meaning, then build the database
>> url based on it and run kamailio with:
>>
>> kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
> My guess is the next problem will be the password being visible to all
> users querying the processlist :)

Indeed, this is a valid concern in this context.
>
> Is including a file (import_file) with passwords an option? Generate the
> file just before startup, remove it (ofcourse in a secure way (shred the
> file and overwrite all freespace with a multiple patters a few dozen
> times (ask the auditors for the exact specifications that make them
> happy))) after kamailio is running. 
Right, a better option with the included file that can be removed. With
the default kamailio.cfg, one can generate kamailio-local.cfg in the
same folder with kamailio.cfg and inside kamailio-local.cfg can have:

#!define DBURL ""

One kamailio is started, the file can be removed.

On the other hand, if the file is accessible only by root user and
nobody can see it, removing won't add much protection, maybe just for
long term when server is dismissed and it's good not to have a file with
such content. Because someone with root access can deploy gdb and then
attach to a running kamailio processes and read values from its memory...

Cheers,
Daniel

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com


___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] DBURL password in clear

2017-11-17 Thread Daniel-Constantin Mierla



On 15.11.17 18:27, Robert wrote:
> Thank you Daniel. This provides me with some capability, but I can’t
> seem to consume the result in the configuration, I just get lots of
> errors. The issue seems to be that the value of the define, passed via
> -A doesn’t seem to be processed in anyway.
>
> I’ve had a quick look in the cfg.lex and cfg.y files, but that’s the
> first time delving into Flex etc. so I’m not sure I’m following it
> correctly.
>
> I’ve tried every combination of encapsulation of the parameters in
> single and double quotes I can think of i.e. -A DBURL=“…”, -A
> “DBURL=…”, all with the same result.

Variants of the quoting was referring to the value of DBURL, maybe it
was not clear ... Anyhow, I just tried and the next command starts
kamailio with the default config:

./src/kamailio -f etc/kamailio.cfg -A WITH_MYSQL -A WITH_AUTH -A
DBURL='"mysql://kamailio:kamailiorw@localhost/kamailio"' -L src/modules/
-a no -E -e -ddd

Note that the value for DBURL is enclosed first in between ' ' and then
inside are " ".

Cheers,
Daniel

>
> I also tried #!subst "/DB_URL/DBURL/g” but that doesn’t seem to expand
> out the DBURL define.
>
> In short, I’m stumped… Any further thoughts would be truly
> appreciated. I’ve put a few error details in the mail below. I’m
> feeling that I may need to resort to changing the behaviour of the
> subst directive to meet my needs (more likely, add substvar,
> substfromfile or some such).
>
> Any further thoughts would be truly welcome, otherwise I think I’m
> going to have to dig out my dusty K book and roll my sleeves up…
> Sincere thanks in advance for any ideas.
>
> Cheers - Robert...
>
> -
>
> In the configuration file, I have failures for example on:
>
> modparam("htable", "db_url", DBURL)
>
> when launched with the -A results in:
>
> 0(7) DEBUG:  [core/cfg.lex:1838]: pp_define_get(): ### returning
> define ID [DBURL] value [oracle://username:password@/DB]
> 0(7) CRITICAL:  [core/cfg.y:3431]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column
> 30-35: syntax error
> 0(7) CRITICAL:  [core/cfg.y:3431]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column
> 30-35: Invalid arguments
> 0(7) CRITICAL:  [core/cfg.y:3434]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: 
> ERROR: bad config file (3 errors)
>
> I’ve tried with #!subst but it seems that pre-processor directive
> doesn’t expand out defines, so:
>
> #!subst "/DB_URL/DBURL/g”
> modparam("htable", "db_url", DB_URL)
>
> just results in:
>
> 0(7) INFO:  [core/ppcfg.c:82]: pp_subst_add(): ### added subst
> expression: /DB_URL/DBURL/g
> 0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
> 0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
> 0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
> 0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
> 0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
> 0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
> 0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
> 0(7) CRITICAL:  [core/cfg.y:3431]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column
> 30-35: syntax error
> 0(7) CRITICAL:  [core/cfg.y:3431]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column
> 30-35: Invalid arguments
> 0(7) CRITICAL:  [core/cfg.y:3434]: yyerror_at(): parse error in
> config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: 
> ERROR: bad config file (3 errors)
>
>
>
>> On 15 Nov 2017, at 07:46, Daniel-Constantin Mierla > > wrote:
>>
>> Hello,
>>
>>
>> On 14.11.17 14:25, Robert wrote:
>>> Hello,
>>>
>>> I’m working for a UK high street bank and our Kamailio
>>> implementation has been challenged because we’ve got database
>>> passwords held in clear in the configuration file.
>>>
>>> I am unable to find any examples of where this has been worked
>>> around, there doesn’t seem to be any module or configuration means
>>> of supplying a variable in the modparam() entry that is expanded a
>>> startup. The security tutorials only seem to relate to the SIP level
>>> of security, not Kamailio as a platform.
>>>
>>> My requirement is simple, I need to be able to supply a password via
>>> means such as loading a variable from a run-once script at start up,
>>> or a module. The ideal would be to be able to read in a Docker secret :)
>>>
>>> I am by no means a Kamailio expert, so apologies in advance if

Re: [SR-Users] DBURL password in clear

2017-11-16 Thread Jurijs Ivolga

Hi Robert,

I'm not security expert and I'm quite new in docker, but I think password
in Docker container which will be in clear text saved somewhere should not
be a problem, as far as you do not save this password to image or git and
etc...

I think best way for you is to use docker secret and generate then config
file for Kamailio using this docker secrets and then start Kamailio and for
all of this you need to write some kind of Entrypoint script. Here is
example how something similar do Homer Sipcapture, they set environment
variables in docker-compose and then generate config file based on this,
but you can use probably docker secrets instead of environment variables:

https://github.com/sipcapture/homer-docker/tree/master/kamailio

I found one more interesting link regarding docker secrets:

https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/

With kind regards,

Jurijs

On Thu, Nov 16, 2017 at 11:58 PM, Robert  wrote:

> That’d presumably leave the clear text footprint I'm trying to avoid,
> albeit in a non-Kamailio file. I’ve made a start on an approach to read
> from a file, Docker secrets are basically just files, but the Docker
> platform handles them securely.
>
> Thanks - Robert...
>
> > On 16 Nov 2017, at 21:46, Bastian Triller 
> wrote:
> >
> > isn't using a group in the db URL an option? Generate some .cnf in
> > /etc/mysql/conf.d (or where MySQL searches its configuration in a
> > Docker container) from the secret and use the group in your db URL in
> > kamailio.cfg.
> >
> > http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
> > 97212
>
>
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] DBURL password in clear

2017-11-16 Thread Robert

That’d presumably leave the clear text footprint I'm trying to avoid, albeit in 
a non-Kamailio file. I’ve made a start on an approach to read from a file, 
Docker secrets are basically just files, but the Docker platform handles them 
securely.

Thanks - Robert...

> On 16 Nov 2017, at 21:46, Bastian Triller  wrote:
> 
> isn't using a group in the db URL an option? Generate some .cnf in
> /etc/mysql/conf.d (or where MySQL searches its configuration in a
> Docker container) from the secret and use the group in your db URL in
> kamailio.cfg.
> 
> http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
> 97212

___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] DBURL password in clear

2017-11-16 Thread Bastian Triller

isn't using a group in the db URL an option? Generate some .cnf in
/etc/mysql/conf.d (or where MySQL searches its configuration in a
Docker container) from the secret and use the group in your db URL in
kamailio.cfg.

http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
97212

On Thu, 2017-11-16 at 20:22 +, Robert wrote:
> Hello Daniel,
> 
> I did think of this, but yes, that’s exactly my problem. Penetration
> testing will highlight any and all tricks I might employ, definitely
> looking like we're going to need to do extend Kamailio somehow. If we
> can do it in a way that isn’t internally sensitive, I’ll propose we
> create a pull request, maybe help someone else in the future?
> 
> Cheers - Robert...
> 
> > On 16 Nov 2017, at 09:34, Daniel Tryba  wrote:
> > 
> > On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla
> > wrote:
> > > > I???m working for a UK high street bank and our Kamailio
> > > > implementation has been challenged because we???ve got database
> > > > passwords held in clear in the configuration file.
> > 
> > ...
> > > > My requirement is simple, I need to be able to supply a
> > > > password via means such as loading a variable from a run-once
> > > > script at start up, or a module. The ideal would be to be able
> > > > to read in a Docker secret :)
> > > > 
> > > 
> > > you can define a for a token to be used inside kamailio.cfg by
> > > using -A
> > > command line parameter. So when you start kamailio, fetch the
> > > password
> > > from your secure system by what so ever meaning, then build the
> > > database
> > > url based on it and run kamailio with:
> > > 
> > > kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
> > 
> > My guess is the next problem will be the password being visible to
> > all
> > users querying the processlist :)
> > 
> > Is including a file (import_file) with passwords an option?
> > Generate the
> > file just before startup, remove it (ofcourse in a secure way
> > (shred the
> > file and overwrite all freespace with a multiple patters a few
> > dozen
> > times (ask the auditors for the exact specifications that make them
> > happy))) after kamailio is running. 
> > 
> > 
> > ___
> > Kamailio (SER) - Users Mailing List
> > sr-users@lists.kamailio.org
> > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> 
> 
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] DBURL password in clear

2017-11-16 Thread Robert

Hello Jurijs,

Thank you for the link, Docker secrets is definitely something that would be an 
option, and yes, holding anything in a variable or somewhere it can be easily 
queried isn’t going to work.

We’ll see what happens.

Cheers - Robert...

> On 16 Nov 2017, at 10:41, Jurijs Ivolga  wrote:
> 
> Hi,
> 
> Not sure that this helps, but below is how I solved similar issue by 
> generating include file inside Docker file using env variables, but this is 
> not a good approach for sensitive data.
> echo "\
>  <>modparam(\"http_client\", \"httpcon\", \"apiserver=>https://$apiurl\;); \
>  <>" >> /kamailio.apiurl
> I believe you can use docker secrets, as described below, but I never used 
> them so I can't help much:
> 
> https://medium.com/@basi/docker-environment-variables-expanded-from-secrets-8fa70617b3bc
>  
> 
> 
> With kind regards,
> 
> Jurijs
> 
> On Thu, Nov 16, 2017 at 11:34 AM, Daniel Tryba  > wrote:
> On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
> > > I???m working for a UK high street bank and our Kamailio implementation 
> > > has been challenged because we???ve got database passwords held in clear 
> > > in the configuration file.
> ...
> > > My requirement is simple, I need to be able to supply a password via 
> > > means such as loading a variable from a run-once script at start up, or a 
> > > module. The ideal would be to be able to read in a Docker secret :)
> > >
> > you can define a for a token to be used inside kamailio.cfg by using -A
> > command line parameter. So when you start kamailio, fetch the password
> > from your secure system by what so ever meaning, then build the database
> > url based on it and run kamailio with:
> >
> > kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
> 
> My guess is the next problem will be the password being visible to all
> users querying the processlist :)
> 
> Is including a file (import_file) with passwords an option? Generate the
> file just before startup, remove it (ofcourse in a secure way (shred the
> file and overwrite all freespace with a multiple patters a few dozen
> times (ask the auditors for the exact specifications that make them
> happy))) after kamailio is running.
> 
> 
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org 
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users 
> 
> 
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] DBURL password in clear

2017-11-16 Thread Robert

Hello Daniel,

I did think of this, but yes, that’s exactly my problem. Penetration testing 
will highlight any and all tricks I might employ, definitely looking like we're 
going to need to do extend Kamailio somehow. If we can do it in a way that 
isn’t internally sensitive, I’ll propose we create a pull request, maybe help 
someone else in the future?

Cheers - Robert...

> On 16 Nov 2017, at 09:34, Daniel Tryba  wrote:
> 
> On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
>>> I???m working for a UK high street bank and our Kamailio implementation has 
>>> been challenged because we???ve got database passwords held in clear in the 
>>> configuration file.
> ...
>>> My requirement is simple, I need to be able to supply a password via means 
>>> such as loading a variable from a run-once script at start up, or a module. 
>>> The ideal would be to be able to read in a Docker secret :)
>>> 
>> you can define a for a token to be used inside kamailio.cfg by using -A
>> command line parameter. So when you start kamailio, fetch the password
>> from your secure system by what so ever meaning, then build the database
>> url based on it and run kamailio with:
>> 
>> kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
> 
> My guess is the next problem will be the password being visible to all
> users querying the processlist :)
> 
> Is including a file (import_file) with passwords an option? Generate the
> file just before startup, remove it (ofcourse in a secure way (shred the
> file and overwrite all freespace with a multiple patters a few dozen
> times (ask the auditors for the exact specifications that make them
> happy))) after kamailio is running. 
> 
> 
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] DBURL password in clear

2017-11-16 Thread Jurijs Ivolga

Hi,

Not sure that this helps, but below is how I solved similar issue by
generating include file inside Docker file using env variables, but this is
not a good approach for sensitive data.

echo "\modparam(\"http_client\", \"httpcon\",
\"apiserver=>https://$apiurl\;); \" >> /kamailio.apiurl

I believe you can use docker secrets, as described below, but I never used
them so I can't help much:

https://medium.com/@basi/docker-environment-variables-expanded-from-secrets-8fa70617b3bc

With kind regards,

Jurijs

On Thu, Nov 16, 2017 at 11:34 AM, Daniel Tryba  wrote:

> On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
> > > I???m working for a UK high street bank and our Kamailio
> implementation has been challenged because we???ve got database passwords
> held in clear in the configuration file.
> ...
> > > My requirement is simple, I need to be able to supply a password via
> means such as loading a variable from a run-once script at start up, or a
> module. The ideal would be to be able to read in a Docker secret :)
> > >
> > you can define a for a token to be used inside kamailio.cfg by using -A
> > command line parameter. So when you start kamailio, fetch the password
> > from your secure system by what so ever meaning, then build the database
> > url based on it and run kamailio with:
> >
> > kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
>
> My guess is the next problem will be the password being visible to all
> users querying the processlist :)
>
> Is including a file (import_file) with passwords an option? Generate the
> file just before startup, remove it (ofcourse in a secure way (shred the
> file and overwrite all freespace with a multiple patters a few dozen
> times (ask the auditors for the exact specifications that make them
> happy))) after kamailio is running.
>
>
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] DBURL password in clear

2017-11-16 Thread Daniel Tryba

On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
> > I???m working for a UK high street bank and our Kamailio implementation has 
> > been challenged because we???ve got database passwords held in clear in the 
> > configuration file.
...
> > My requirement is simple, I need to be able to supply a password via means 
> > such as loading a variable from a run-once script at start up, or a module. 
> > The ideal would be to be able to read in a Docker secret :)
> >
> you can define a for a token to be used inside kamailio.cfg by using -A
> command line parameter. So when you start kamailio, fetch the password
> from your secure system by what so ever meaning, then build the database
> url based on it and run kamailio with:
> 
> kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...

My guess is the next problem will be the password being visible to all
users querying the processlist :)

Is including a file (import_file) with passwords an option? Generate the
file just before startup, remove it (ofcourse in a secure way (shred the
file and overwrite all freespace with a multiple patters a few dozen
times (ask the auditors for the exact specifications that make them
happy))) after kamailio is running. 


___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] DBURL password in clear

2017-11-15 Thread Robert

Thank you Daniel. This provides me with some capability, but I can’t seem to 
consume the result in the configuration, I just get lots of errors. The issue 
seems to be that the value of the define, passed via -A doesn’t seem to be 
processed in anyway.

I’ve had a quick look in the cfg.lex and cfg.y files, but that’s the first time 
delving into Flex etc. so I’m not sure I’m following it correctly.

I’ve tried every combination of encapsulation of the parameters in single and 
double quotes I can think of i.e. -A DBURL=“…”, -A “DBURL=…”, all with the same 
result.

I also tried #!subst "/DB_URL/DBURL/g” but that doesn’t seem to expand out the 
DBURL define.

In short, I’m stumped… Any further thoughts would be truly appreciated. I’ve 
put a few error details in the mail below. I’m feeling that I may need to 
resort to changing the behaviour of the subst directive to meet my needs (more 
likely, add substvar, substfromfile or some such).

Any further thoughts would be truly welcome, otherwise I think I’m going to 
have to dig out my dusty K book and roll my sleeves up… Sincere thanks in 
advance for any ideas.

Cheers - Robert...

-

In the configuration file, I have failures for example on:

modparam("htable", "db_url", DBURL)

when launched with the -A results in:

0(7) DEBUG:  [core/cfg.lex:1838]: pp_define_get(): ### returning define 
ID [DBURL] value [oracle://username:password@/DB 
]
0(7) CRITICAL:  [core/cfg.y:3431]: yyerror_at(): parse error in config 
file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: syntax error
0(7) CRITICAL:  [core/cfg.y:3431]: yyerror_at(): parse error in config 
file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: Invalid 
arguments
0(7) CRITICAL:  [core/cfg.y:3434]: yyerror_at(): parse error in config 
file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: 
ERROR: bad config file (3 errors)

I’ve tried with #!subst but it seems that pre-processor directive doesn’t 
expand out defines, so:

#!subst "/DB_URL/DBURL/g”
modparam("htable", "db_url", DB_URL)

just results in:

0(7) INFO:  [core/ppcfg.c:82]: pp_subst_add(): ### added subst 
expression: /DB_URL/DBURL/g
0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
0(7) DEBUG:  [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG:  [core/re.c:504]: subst_str(): no match
0(7) CRITICAL:  [core/cfg.y:3431]: yyerror_at(): parse error in config 
file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: syntax error
0(7) CRITICAL:  [core/cfg.y:3431]: yyerror_at(): parse error in config 
file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: Invalid 
arguments
0(7) CRITICAL:  [core/cfg.y:3434]: yyerror_at(): parse error in config 
file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: 
ERROR: bad config file (3 errors)



> On 15 Nov 2017, at 07:46, Daniel-Constantin Mierla  wrote:
> 
> Hello,
> 
> 
> On 14.11.17 14:25, Robert wrote:
>> Hello,
>> 
>> I’m working for a UK high street bank and our Kamailio implementation has 
>> been challenged because we’ve got database passwords held in clear in the 
>> configuration file.
>> 
>> I am unable to find any examples of where this has been worked around, there 
>> doesn’t seem to be any module or configuration means of supplying a variable 
>> in the modparam() entry that is expanded a startup. The security tutorials 
>> only seem to relate to the SIP level of security, not Kamailio as a platform.
>> 
>> My requirement is simple, I need to be able to supply a password via means 
>> such as loading a variable from a run-once script at start up, or a module. 
>> The ideal would be to be able to read in a Docker secret :)
>> 
>> I am by no means a Kamailio expert, so apologies in advance if this is a 
>> mindblowingly basic thing to achieve, but I do feel I’ve exhausted the 
>> Kamailio documentation, wiki etc. and all the goodness Google usually has to 
>> offer and drawn a blank.
>> 
>> Sincere thanks in advance for any assistance.
>> 
>> 
> you can define a for a token to be used inside kamailio.cfg by using -A
> command line parameter. So when you start kamailio, fetch the password
> from your secure system by what so ever meaning, then build the database
> url based on it and run kamailio with:
> 
> kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio 
> ' ...
> 
> You may need to enclose in double quotes

Re: [SR-Users] DBURL password in clear

2017-11-14 Thread Daniel-Constantin Mierla

Hello,


On 14.11.17 14:25, Robert wrote:
> Hello,
>
> I’m working for a UK high street bank and our Kamailio implementation has 
> been challenged because we’ve got database passwords held in clear in the 
> configuration file.
>
> I am unable to find any examples of where this has been worked around, there 
> doesn’t seem to be any module or configuration means of supplying a variable 
> in the modparam() entry that is expanded a startup. The security tutorials 
> only seem to relate to the SIP level of security, not Kamailio as a platform.
>
> My requirement is simple, I need to be able to supply a password via means 
> such as loading a variable from a run-once script at start up, or a module. 
> The ideal would be to be able to read in a Docker secret :)
>
> I am by no means a Kamailio expert, so apologies in advance if this is a 
> mindblowingly basic thing to achieve, but I do feel I’ve exhausted the 
> Kamailio documentation, wiki etc. and all the goodness Google usually has to 
> offer and drawn a blank.
>
> Sincere thanks in advance for any assistance.
>
>
you can define a for a token to be used inside kamailio.cfg by using -A
command line parameter. So when you start kamailio, fetch the password
from your secure system by what so ever meaning, then build the database
url based on it and run kamailio with:

kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...

You may need to enclose in double quotes inside the single quotes, I am
not sure at this moment, but sometime she shell 'eats' a pair of quotes,
so just try with it if first fails ...

Cheers,
Daniel

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - www.asipto.com
Kamailio World Conference - www.kamailioworld.com


___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

Re: [SR-Users] DBURL password in clear

14 matches

Site Navigation

Mail list logo

Footer information