[asterisk-users] Encrypted password for voicemail
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Tue Nov 28 01:12:58 MST 2006
On Mon, Nov 27, 2006 at 05:12:19PM -0800, jezzzz . wrote:
> Thanks for the response Tzafrir. I meant
> voicemail.conf for the passwords of course - my
> mistake. Trying to ensure that if voicemail.conf is
> opened by an attacker that all the passwords are not
> readily available. By hashing them or encrypting them
> in a DB it's going to be much harder for an attacker
> to obtain access to the passwords.
>
> The only way to encrypt the sending of passwords to
> the voicemail is by using SIP-TLS?
Those are two conflicting goals. If you only save a hash of the
passowrd, as in /etc/shadow, you cannot reproduce the original password
from it in order to calculate "similar" hashes for chalange-and-response
authentication.
So do you want to protect from an eves-dropper or from a local attacker?
Anyway, at the current state of afairs, you get basically nothing.
> (which is not yet
> in production stage?).
If we leave development issues aside and look at things you can use now:
use stunnel to provide SSL/TLS support for it?
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir at jabber.org
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list