[asterisk-users] Password to be ecrypted?

Tzafrir Cohen tzafrir.cohen at xorcom.com
Mon May 2 07:09:53 CDT 2011 

On Tue, Apr 26, 2011 at 04:03:51PM +0100, A J Stiles wrote:
> On Tuesday 26 Apr 2011, bilal ghayyad wrote:
> > Hi All;
> >
> > I am using Asterisk 1.8, how I can protect my self from hackers in case
> > they was able to see my sip.conf file? I need the password to be encrypted,
> > how?
> 
> Short answer:  You can't.  Asterisk itself needs to be able to read the stored 
> passwords.  The Source Code to Asterisk is readily available.  Therefore, 
> anyone who can read sip.conf, even if it is encrypted, will necessarily be 
> able to decrypt it.
> 
> Slightly more helpful answer:  Make sure that sip.conf can only be read by the 
> root user;
> # chown root:root /etc/asterisk/sip.conf
> # chmod 600 /etc/asterisk/sip.conf
> 
> This is about as safe as it gets.  If somebody manages to get root access to 
> your Asterisk box, then you're already shafted .....

This implies running Asterisk as root, which is certainly not the safest
thing to do.

  chown asterisk /etc/asterisk/sip.conf
  chmod 600 /etc/asterisk/sip.conf

If you really want to split out the secret part, you can have something
along the lines of:


sip.conf:
[general]
;host, port, and such

[phone1]
; Everything, besides 'secret'

[trunk1]
; Everything, besides 'secret'

#include sip_secret.conf


sip_secret.conf:
[general](+)
register => ...

[phone1](+)
secret = ...

[trunk1](+)
secret = ...


This way only sip_secret.conf needs to be kept confidential.


But then again, anyone with access to asterisk should be able to read
the configuration ('sip show users', GetConfig in the manager interface,
whatever).

There are further obfuscations to be done (there has been a previous
thread about this subject). But you should first clarify (to yourself,
mostly) what is the threat you want to protect your system from. Given
enough resources, the NSA will get those passwords anyway
(http://xkcd.com/538/ ). But you should make good security to protect
your system from reasonable threats.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-users mailing list