Non-Commercial Discussion
> Subject: Re: [asterisk-users] Hide the plain text password
>
>>
>> "Security through obscurity" does not work with open source software.
>>
>
> What a bold statement, are you telling me it works with closed source
> software? :P
> > - The config file reader looks for strings of the form "{enc:}:
> > and replaces them, before otherwise parsing the line, with the decrypted
> > version of the string using the key in the "master_key" file.
>
> This sounds pretty reasonable, except perhaps that you might only want
> to con
ken...@gnat.com (Richard Kenner) writes:
> Here's a possible design:
>
> - There's optionally a file in the config
> directory called "master_key". It contains just a string.
>
> - A CLI command "core encrypt " is added to Asterisk. It takes the
> provided string, encrypts it using the strin
On 02/15/2011 06:08 PM, Jian Gao wrote:
How about encrypt the whole hard drive?
If I built a server and give to other people, there is no easy way to
stop them reset the root password or just mount my drive to read
everything on it. But if build an encrypt OS then it will be secure. My
question
On Tue, Feb 15, 2011 at 11:51:26PM +0100, Hans Witvliet wrote:
> On Tue, 2011-02-15 at 07:18 -0500, Richard Kenner wrote:
> > > Anyway, the answer is: No, it's mathematically impossible to do
> > > that. Even if the passwords were stored encrypted, Asterisk itself
> > > has to be able to get the p
On Wed, Feb 16, 2011 at 12:01:20AM +0100, Hans Witvliet wrote:
> kept on reading the thread...
>
> Wouldn't it be better, for asterisk at least, to get rid of all this
> identification / authentication stuff?
> Keeping config files holding pain passwords or simple md5 isn't the way
> to solve this
> How about encrypt the whole hard drive?
>
> If I built a server and give to other people, there is no easy way to
> stop them reset the root password or just mount my drive to read
> everything on it. But if build an encrypt OS then it will be secure.
It will be more secure. However, you (
How about encrypt the whole hard drive?
If I built a server and give to other people, there is no easy way to
stop them reset the root password or just mount my drive to read
everything on it. But if build an encrypt OS then it will be secure. My
question here are: <1>Is this against Asterisk
kept on reading the thread...
Wouldn't it be better, for asterisk at least, to get rid of all this
identification / authentication stuff?
Keeping config files holding pain passwords or simple md5 isn't the way
to solve this...
Within the unix world those issues have been solved over and over agai
On Tue, 2011-02-15 at 07:18 -0500, Richard Kenner wrote:
> > Anyway, the answer is: No, it's mathematically impossible to do
> > that. Even if the passwords were stored encrypted, Asterisk itself
> > has to be able to get the plaintext passwords to send to the remote
> > server; so the code to dec
On 02/15/2011 09:29 AM, C F wrote:
"Security through obscurity" does not work with open source software.
What a bold statement, are you telling me it works with closed source
software? :P
Depends on your definition of 'works' I guess :-)
With closed source software, it takes rather longer
-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of C F
Sent: Tuesday, February 15, 2011 9:29 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Hide the plain text password
>
> "Security through obscurity" does not work with open source software.
>
What a bold statement, are you telling me it works with closed source
software? :P
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.co
On Tue, Feb 15, 2011 at 08:17:20AM -0500, Richard Kenner wrote:
> > #include the password (a file the line 'secret=') from a local file on
> > the file system. The user has no access to it, right?
>
> Right, but we're not talking ONE password, but ANY password. Having
> dozens of those files, one
On 15 Feb 2011, at 13:17, Richard Kenner wrote:
> Of course not! It would be useless if that were the case: the whole
> point here would be that you need the master encryption key.
>
> Here's a possible design:
>
> - There's optionally a file in the config
> directory called "master_key". It c
> #include the password (a file the line 'secret=') from a local file on
> the file system. The user has no access to it, right?
Right, but we're not talking ONE password, but ANY password. Having
dozens of those files, one for each password, gets to be a real pain
really fast. And you STILL want
On Tue, Feb 15, 2011 at 07:54:54AM -0500, Richard Kenner wrote:
> > Right. But it really won't help much (except complicating things) if the
> > user has decent access to Asterisk.
>
> Yes, but we're talking about cases where the "user" *doesn't* have access
> to Asterisk. At many locations, incl
> Right. But it really won't help much (except complicating things) if the
> user has decent access to Asterisk.
Yes, but we're talking about cases where the "user" *doesn't* have access
to Asterisk. At many locations, including mine, Asterisk runs on a
machine dedicated for that purpose and only
> How does that improve things? The reason that works with Cisco routers
> is because the code that reads that special key file and uses it to
> decrypt the other files is closed-source; nobody can see how it works.
>
> As another poster said, that's not true for Asterisk. If Asterisk had
> such
On Tue, Feb 15, 2011 at 07:18:08AM -0500, Richard Kenner wrote:
> > Anyway, the answer is: No, it's mathematically impossible to do
> > that. Even if the passwords were stored encrypted, Asterisk itself
> > has to be able to get the plaintext passwords to send to the remote
> > server; so the code
On 02/15/2011 06:18 AM, Richard Kenner wrote:
Anyway, the answer is: No, it's mathematically impossible to do
that. Even if the passwords were stored encrypted, Asterisk itself
has to be able to get the plaintext passwords to send to the remote
server; so the code to decrypt them must necessaril
> Anyway, the answer is: No, it's mathematically impossible to do
> that. Even if the passwords were stored encrypted, Asterisk itself
> has to be able to get the plaintext passwords to send to the remote
> server; so the code to decrypt them must necessarily be located on
> the machine. And the
On Monday 14 Feb 2011, Jian Gao wrote:
> Now in my asterisk config files, there are lines like:
> secret=some_password_in_plain_text
>
> Is it possible to hide these plain text password?
Depending how you set your permissions, they are already effectively hidden
behind the machine's root password
On 14 Feb 2011, at 22:30, Jian Gao wrote:
> I am thinking using MySQL DB to save the user account information. And let
> mysql encrypt the password, (MD5 maybe?). I remember I've done SIP realtime
> registration. Can I also use this way on the Google Voice account?
If you hash the password, you
Thanks for all your inputs.
I am thinking using MySQL DB to save the user account information. And
let mysql encrypt the password, (MD5 maybe?). I remember I've done SIP
realtime registration. Can I also use this way on the Google Voice account?
*Jian *
On 11-02-14 02:21 PM, Leif Madsen wrot
On 02/14/2011 04:18 PM, Richard Kenner wrote:
Who are you hiding them from? Anyone with access to the Asterisk server
can already do far more damage than extracting these passwords.
You may (like we do) want to store config files in a version control system
in a common repository. People who h
On 11-02-14 05:08 PM, Jian Gao wrote:
I am building a server for a client. I want them to try out the new Google Voice
feature using my GV account. But I don't want expose my GV's password.
Actually in this case, your best bet is just going to be to create a separate
account where you don't ca
On 11-02-14 05:10 PM, Kevin P. Fleming wrote:
On 02/14/2011 04:08 PM, Jian Gao wrote:
I am building a server for a client. I want them to try out the new
Google Voice feature using my GV account. But I don't want expose my
GV's password.
There is no method to obscure a Google Voice password in
> Who are you hiding them from? Anyone with access to the Asterisk server
> can already do far more damage than extracting these passwords.
You may (like we do) want to store config files in a version control system
in a common repository. People who have access to that repository don't
necessar
On 02/14/2011 04:08 PM, Jian Gao wrote:
I am building a server for a client. I want them to try out the new
Google Voice feature using my GV account. But I don't want expose my
GV's password.
There is no method to obscure a Google Voice password in the config
file. chan_sip supports obscured p
I am building a server for a client. I want them to try out the new
Google Voice feature using my GV account. But I don't want expose my
GV's password.
*Jian *
On 11-02-14 01:46 PM, Kevin P. Fleming wrote:
On 02/14/2011 03:36 PM, Jian Gao wrote:
Now in my asterisk config files, there are li
-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Jeremy Kister
Sent: Monday, February 14, 2011 3:44 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Hide the plain text
On Mon, Feb 14, 2011 at 6:46 PM, Kevin P. Fleming wrote:
> On 02/14/2011 03:36 PM, Jian Gao wrote:
>>
>> Now in my asterisk config files, there are lines like:
>> secret=some_password_in_plain_text
>>
>> Is it possible to hide these plain text password?
>
> Who are you hiding them from? Anyone wit
On 02/14/2011 03:36 PM, Jian Gao wrote:
Now in my asterisk config files, there are lines like:
secret=some_password_in_plain_text
Is it possible to hide these plain text password?
Who are you hiding them from? Anyone with access to the Asterisk server
can already do far more damage than extra
On 2/14/2011 4:36 PM, Jian Gao wrote:
Now in my asterisk config files, there are lines like:
secret=some_password_in_plain_text
Is it possible to hide these plain text password?
I think 'md5secret' is what you're looking for.
http://www.voip-info.org/wiki/view/Asterisk+sip+md5secret
--
Jer
Now in my asterisk config files, there are lines like:
secret=some_password_in_plain_text
Is it possible to hide these plain text password?
--
*Jian *
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
N
36 matches
Mail list logo