[asterisk-users] How to secure Configuration files
Tilghman Lesher
tlesher at digium.com
Wed Jul 7 15:33:18 CDT 2010
On Wednesday 07 July 2010 14:58:05 Kevin P. Fleming wrote:
> On 07/07/2010 10:52 AM, Tilghman Lesher wrote:
> > On Wednesday 07 July 2010 05:24:10 A J Stiles wrote:
> >> On Tuesday 06 Jul 2010, ABBAS SHAKEEL wrote:
> >>> Hello Community,
> >>>
> >>> ..... I am facing an issue of security i.e. We deploy
> >>> servers to client end. Now i dont want the client to see my
> >>> configuration files (Of course copy and distribute or replicate the
> >>> logic with out permission). [ 1 paragraph omitted ]
> >>> Is there a way that the configuration files get encrypted or some thing
> >>> else so that some one who have system access can not copy the
> >>> configuration files data or look into that files.
> >>
> >> Well! It's a good job Mark Spencer was never so mean-spirited,
> >> otherwise you would never have been *given* the power of Asterisk.
> >
> > In addition, depending upon how you do this, it may be a serious
> > violation of the license under which Asterisk was distributed to you and
> > under which you are required to distribute Asterisk to others. If you
> > are looking for a legitimate way to do this, you'd have to obtain a
> > commercial license from Digium.
>
> That statement will likely lead to yet more confusion about how the GPL
> applies to Asterisk and distribution of Asterisk... without a specific
> example of how a violation could occur, users will tend to interpret
> such statements in the broadest possible terms, which does harm to their
> understanding of how they can use and distribute Asterisk.
Correct, which is why I used the word 'may'. The only way to sufficiently
protect the configuration files would be to alter Asterisk and then refuse
to provide the altered source to those to whom he provided the binary.
That would be a violation of the GPL. The only method I can see to get
around this would be to obtain Asterisk under a non-GPL license.
> Since the poster's question was specifically about configuration files,
> I see no connection between protecting them and any possible violation
> of the GPLv2 license on Asterisk, except for the unlikely scenario of
> the poster deciding to modify Asterisk to decrypt files as it reads
> them... and even then, the license violation would only occur if they
> failed to provide their customers the modified Asterisk code; keeping
> the decryption keys private would not violate the GPLv2 at all.
The only effective means to avoid the configuration files being read would
be to change the Asterisk source, since at the present time, the only way to
get a configuration file into Asterisk is for it to be rendered in plaintext
at the time the file loaded. At that point, the file can just as easily be
read by a third party viewer.
> How does obtaining a commercial license from Digium provide the poster a
> 'legitimate' way to secure his configuration files?
By not requiring the poster to distribute his modified source with his
binaries and encrypted configuration files.
--
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org
More information about the asterisk-users
mailing list