[asterisk-users] Executing shell commands via AMI

Vinícius Fontes vinicius at canall.com.br
Wed Mar 16 15:53:48 CDT 2011


----- Mensagem original -----


On Wednesday 16 March 2011 14:11:21 Vinícius Fontes wrote: 
> > I understand the concern with security but why not create a separate 
> > authorization allowing that instead of hard-coding it? 
> 
> I understand the concern with security but why not create a separate 
> authorization allowing that instead of hard-coding it? 

Clearly, you don't understand the problem with security, because you're 
asking that question. If you want to run shell commands on the Asterisk 
server, create your own SSH connection to the server, become root, and run 
those commands. 

-- 
Tilghman 

I do understand the problem with security and this is my last message, since I have no intention to start a flame war. 


When we're dealing with security we're always balancing three factors: usability, risk, flexibility. You change one, you change the other two. 


This is not about a security flaw but about a lack of flexibility. I could make my remote management system use the existent SSL-encrypted AMI session (that will only accept connections from specific IP addresses, aside from incoming connections being filtered by iptables) to run shell commands, but now I have to allow SSH access to achieve the very same thing. Last time I checked the listening ports, the higher security risks are. 


Also, many of the boxes I manage are behind NAT, so I'll have to ask my customers to reconfigure their firewalls to allow SSH access from the remote management system. 


No increased security, lots of hassle, all because there's an undocumented "feature" that is supposed to increase security but just takes functionality away. 


Thank you for your attention. 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110316/75fb1930/attachment.htm>


More information about the asterisk-users mailing list