[asterisk-users] Hide the plain text password

Tzafrir Cohen tzafrir.cohen at xorcom.com
Tue Feb 15 07:57:44 CST 2011


On Tue, Feb 15, 2011 at 08:17:20AM -0500, Richard Kenner wrote:
> > #include the password (a file the line 'secret=') from a local file on
> > the file system. The user has no access to it, right?
> 
> Right, but we're not talking ONE password, but ANY password. Having
> dozens of those files, one for each password, gets to be a real pain
> really fast.  And you STILL want CM control of password changes even
> if you're storing the encrypted versions: you want to be able to go
> back to an old password, even if you don't know what it is.

Nope. Don't keep the password in the common version control. This is
security through obscurity. Asterisk has to be able to read it as plain
text, eventually.

You can go the #exec route, keep an encrypted file, and keep the
decryption key somewhere on the file system. If you don't put the
decryption key outside of the version control, what you get is purely
security through obsurity, that is: counting on the user to be forever
dumb.


If you want more than one:

#include path/to/passwords.conf
; Or:
;#exec /usr/local/bin/decrypt_passwords_file

[peer1](password1)
...

[peer2](password2)
...


passwords.conf has:
[password1](!)
secret = 111111

[password2](!)
secret = 111111

[password3](!)
secret = 111111

[password4](!)
secret = 111111


And as the PERL saying goes, There Is More Than One Way To Do It.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir



More information about the asterisk-users mailing list