[asterisk-users] Hide the plain text password
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Tue Feb 15 06:50:35 CST 2011
On Tue, Feb 15, 2011 at 07:18:08AM -0500, Richard Kenner wrote:
> > Anyway, the answer is: No, it's mathematically impossible to do
> > that. Even if the passwords were stored encrypted, Asterisk itself
> > has to be able to get the plaintext passwords to send to the remote
> > server; so the code to decrypt them must necessarily be located on
> > the machine. And the Source Code to Asterisk is readily available,
> > which is how come you were able to benefit from it, so it would be
> > trivial to extract the passwords in any case.
>
> But there IS a way to improve things, and it's what Cisco routers do.
> You can have all password stored in config file encrypted with a
> single master key. That key is stored in a special file, containing
> just that key. THAT file must then be heavily-protected, but all
> OTHER config files can now be placed into CM or anywhere else they
> might be needed.
Right. But it really won't help much (except complicating things) if the
user has decent access to Asterisk.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list