[asterisk-users] Hide the plain text password (suggestion)
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Wed Feb 16 06:06:40 CST 2011
On Wed, Feb 16, 2011 at 12:01:20AM +0100, Hans Witvliet wrote:
> kept on reading the thread...
>
> Wouldn't it be better, for asterisk at least, to get rid of all this
> identification / authentication stuff?
> Keeping config files holding pain passwords or simple md5 isn't the way
> to solve this...
>
> Within the unix world those issues have been solved over and over again.
> Any chance that in 1.10 or scf we might be using something like pam?
This only helps if someone has to prove the identity to you. Not if you
have to prove to someone else that you know the password. In the latter
case you have to actually know the plain text password, one way or the
other.
(If you don't, then whatever it is you know, is something a remote
attacker can use).
The price for using a hashes in Unix is that passwords are sent over
the wire. SASL and other chalange-response authentication algorithms
assume you have a common secret. And thus the server has to know the
plain text password (but it is not sent in clear over the wire).
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list