[asterisk-users] Hide the plain text password (suggestion)

[Tzafrir Cohen]

On Wed, Feb 16, 2011 at 12:01:20AM +0100, Hans Witvliet wrote:
> kept on reading the thread...
> 
> Wouldn't it be better, for asterisk at least, to get rid of all this
> identification / authentication stuff?
> Keeping config files holding pain passwords or simple md5 isn't the way
> to solve this...
> 
> Within the unix world those issues have been solved over and over again.
> Any chance that in 1.10 or scf we might be using something like pam?

This only helps if someone has to prove the identity to you. Not if you
have to prove to someone else that you know the password. In the latter
case you have to actually know the plain text password, one way or the
other.

(If you don't, then whatever it is you know, is something a remote
attacker can use).

The price for using a hashes in Unix is that passwords are sent over
the wire. SASL and other chalange-response authentication algorithms
assume you have a common secret. And thus the server has to know the
plain text password (but it is not sent in clear over the wire).

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir