[asterisk-users] Hide the plain text password

Tzafrir Cohen tzafrir.cohen at xorcom.com
Tue Feb 15 07:09:43 CST 2011


On Tue, Feb 15, 2011 at 07:54:54AM -0500, Richard Kenner wrote:
> > Right. But it really won't help much (except complicating things) if the
> > user has decent access to Asterisk.
> 
> Yes, but we're talking about cases where the "user" *doesn't* have access
> to Asterisk.  At many locations, including mine, Asterisk runs on a
> machine dedicated for that purpose and only people administering it have
> access to that machine.  But config files are placed in a CM system which
> MANY more people have access to.  Having plaintext passwords in those
> files is a real problem.

In this case:

#include the password (a file the line 'secret=') from a local file on
the file system. The user has no access to it, right?

It might as well be a database, a remote URL (CURL), an output of a
script (#exec). Whichever works best for you.

One test for you to consider: are the users able to use the "encrypted"
configuration item in a different Asterisk system (without your
concent)?

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir



More information about the asterisk-users mailing list