[asterisk-users] Hide the plain text password
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Tue Feb 15 07:09:43 CST 2011
On Tue, Feb 15, 2011 at 07:54:54AM -0500, Richard Kenner wrote:
> > Right. But it really won't help much (except complicating things) if the
> > user has decent access to Asterisk.
>
> Yes, but we're talking about cases where the "user" *doesn't* have access
> to Asterisk. At many locations, including mine, Asterisk runs on a
> machine dedicated for that purpose and only people administering it have
> access to that machine. But config files are placed in a CM system which
> MANY more people have access to. Having plaintext passwords in those
> files is a real problem.
In this case:
#include the password (a file the line 'secret=') from a local file on
the file system. The user has no access to it, right?
It might as well be a database, a remote URL (CURL), an output of a
script (#exec). Whichever works best for you.
One test for you to consider: are the users able to use the "encrypted"
configuration item in a different Asterisk system (without your
concent)?
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list