<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Times New Roman; font-size: 12pt; color: #000000'><span><hr id="zwchr"></span><blockquote style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;">On Wednesday 16 March 2011 14:11:21 Vinícius Fontes wrote:<br>> > I understand the concern with security but why not create a separate<br>> > authorization allowing that instead of hard-coding it? <br>><br>> I understand the concern with security but why not create a separate<br>> authorization allowing that instead of hard-coding it?<br><br>Clearly, you don't understand the problem with security, because you're<br>asking that question. If you want to run shell commands on the Asterisk<br>server, create your own SSH connection to the server, become root, and run<br>those commands.<br><br>-- <br>Tilghman<br><br></blockquote>I do understand the problem with security and this is my last message, since I have no intention to start a flame war.<div><br></div><div>When we're dealing with security we're always balancing three factors: usability, risk, flexibility. You change one, you change the other two.</div><div><br></div><div>This is not about a security flaw but about a lack of flexibility. I could make my remote management system use the existent SSL-encrypted AMI session (that will only accept connections from specific IP addresses, aside from incoming connections being filtered by iptables) to run shell commands, but now I have to allow SSH access to achieve the very same thing. Last time I checked the listening ports, the higher security risks are.</div><div><br></div><div>Also, many of the boxes I manage are behind NAT, so I'll have to ask my customers to reconfigure their firewalls to allow SSH access from the remote management system.</div><div><br></div><div>No increased security, lots of hassle, all because there's an undocumented "feature" that is supposed to increase security but just takes functionality away.</div><div><br></div><div>Thank you for your attention.</div><div><br></div><div><br></div><div><br></div></div></body></html>