Now in my asterisk config files, there are lines like: secret=some_password_in_plain_text Is it possible to hide these plain text password? -- *Jian * -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110214/7661ff8e/attachment.htm>
On 2/14/2011 4:36 PM, Jian Gao wrote:> Now in my asterisk config files, there are lines like: > secret=some_password_in_plain_text > > Is it possible to hide these plain text password?I think 'md5secret' is what you're looking for. http://www.voip-info.org/wiki/view/Asterisk+sip+md5secret -- Jeremy Kister http://jeremy.kister.net./
On 02/14/2011 03:36 PM, Jian Gao wrote:> Now in my asterisk config files, there are lines like: > secret=some_password_in_plain_text > > Is it possible to hide these plain text password?Who are you hiding them from? Anyone with access to the Asterisk server can already do far more damage than extracting these passwords. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA skype: kpfleming | jabber: kfleming at digium.com Check us out at www.digium.com & www.asterisk.org
On Mon, Feb 14, 2011 at 6:46 PM, Kevin P. Fleming <kpfleming at digium.com> wrote:> On 02/14/2011 03:36 PM, Jian Gao wrote: >> >> Now in my asterisk config files, there are lines like: >> secret=some_password_in_plain_text >> >> Is it possible to hide these plain text password? > > Who are you hiding them from? Anyone with access to the Asterisk server can > already do far more damage than extracting these passwords.For change control and configuration management systems there should be hide or exclude list that will block the display. ~~~ Andrew "lathama" Latham lathama at gmail.com ~~~
On Monday 14 Feb 2011, Jian Gao wrote:> Now in my asterisk config files, there are lines like: > secret=some_password_in_plain_text > > Is it possible to hide these plain text password?Depending how you set your permissions, they are already effectively hidden behind the machine's root password. If someone gets that then, my friend, you have bigger things to worry about :) Anyway, the answer is: No, it's mathematically impossible to do that. Even if the passwords were stored encrypted, Asterisk itself has to be able to get the plaintext passwords to send to the remote server; so the code to decrypt them must necessarily be located on the machine. And the Source Code to Asterisk is readily available, which is how come you were able to benefit from it, so it would be trivial to extract the passwords in any case. See also: http://developer.pidgin.im/wiki/PlainTextPasswords for an explanation of pretty much the same issue. -- AJS
> How about encrypt the whole hard drive? > > If I built a server and give to other people, there is no easy way to > stop them reset the root password or just mount my drive to read > everything on it. But if build an encrypt OS then it will be secure.It will be more secure. However, you (personally) will need to be present at the server, every time it is powered up, in order to enter the appropriate decryption key. You can't place the key in a file on the hard drive, or as part of the GRUB or LILO boot configuration, or on a USB stick or floppy, because if you do, the people you give the server to will have the information they need to break the encryption. You would have just "pushed the problem back" by one step. The only way to keep the encrypted disk (and server) secure, is to retain physical control of the necessary decryption key.> My > question here are: <1>Is this against Asterisk GPL?That depends. If all of the software on the system is under GPL Version 2 (or the LGPL equivalent), then distributing such a system would be no different than distributing a system which didn't encrypt the disk. Under the terms of the GPL you would have to provide copies of the source code to the GPL'ed components to the system upon request, but you would not have to disclose the key used for a particular installation, If you include software which was under GPL Version 3, you might have to disclose the key. Ask a lawyer about that.> <2>How about the > performance on such a system?Anywhere from poor, to perfectly fine, depending on how much disk I/O you do, whether a hardware encryption accelerator is available, and what encryption algorithm you choose. If your Asterisk implementation isn't doing a lot of recording and playback of audio files to/from disk, and it isn't running other applications at the same time, I suspect you wouldn't notice a really significant difference between encrypted and unencrypted operation, once the system had booted up and was running in a "steady state".