Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community
 SearchSearch 

[Freeswitch-users] Passwords in clear text

Goto page 1, 2  Next
 
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> freeSWITCH Users
View previous topic :: View next topic  
Author Message
Prometheus001 at gmx.net
Guest





PostPosted: Thu Oct 16, 2008 2:52 am    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

I've seen in the XCML files that passwords and credentials e.g. for
directory entries are always stored in clear text. Is there a way to use
encrypted passwords?

Bet regaerds
Peter

_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Back to top
hads at nice.net.nz
Guest





PostPosted: Thu Oct 16, 2008 3:26 am    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

On Thursday 16 October 2008 20:40:29 Peter P GMX wrote:
Quote:
I've seen in the XCML files that passwords and credentials e.g. for
directory entries are always stored in clear text. Is there a way to use
encrypted passwords?

As mentioned on this page;

http://wiki.freeswitch.org/wiki/XML_User_Directory_Guide

you can use a1-hash values instead.

hads

_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Back to top
leon at scarlet-intern...
Guest





PostPosted: Thu Oct 16, 2008 3:29 am    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

Hi,

Yes, you can just return an a1-hash instead of a password.

The a1-hash consists of md5(username:domain:password)

see: http://wiki.freeswitch.org/wiki/XML_User_Directory_Guide

regards,

Leon


On Oct 16, 2008, at 9:40 AM, Peter P GMX wrote:

Quote:
I've seen in the XCML files that passwords and credentials e.g. for
directory entries are always stored in clear text. Is there a way to
use
encrypted passwords?

Bet regaerds
Peter

_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org


_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Back to top
Prometheus001 at gmx.net
Guest





PostPosted: Mon Oct 20, 2008 9:27 am    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

Thanks,

I got it for the directory password (a1-hash).

But what about the voicemail-password and the passwords stored for
external gateways?

Best regards
Peter

Leon de Rooij schrieb:
Quote:
Hi,

Yes, you can just return an a1-hash instead of a password.

The a1-hash consists of md5(username:domain:password)

see: http://wiki.freeswitch.org/wiki/XML_User_Directory_Guide

regards,

Leon


On Oct 16, 2008, at 9:40 AM, Peter P GMX wrote:


Quote:
I've seen in the XCML files that passwords and credentials e.g. for
directory entries are always stored in clear text. Is there a way to
use
encrypted passwords?

Bet regaerds
Peter

_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org



_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org



_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Back to top
brian at freeswitch.org
Guest





PostPosted: Mon Oct 20, 2008 10:44 am    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

Honestly is that much of an issue? Your machine should be secure
enough to not allow anyone but the user FreeSWITCH is running as read
the configs in the first place. I'm not even that paranoid Razz

/b

On Oct 20, 2008, at 9:09 AM, Peter P GMX wrote:

Quote:
Thanks,

I got it for the directory password (a1-hash).

But what about the voicemail-password and the passwords stored for
external gateways?

Best regards
Peter


_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Back to top
Prometheus001 at gmx.net
Guest





PostPosted: Mon Oct 20, 2008 1:43 pm    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

Hello Brian,

i have learned im my life that any server can be compromized if anyone
uses enough effort to hack it. Thus I simply try to prevent storing
passwords in clear text.
I am actually trying to setup a secure system with TLS/SRTP and handling
clear text passwords didn't really fit into this concept.

Best regards
Peter



Brian West schrieb:
Quote:
Honestly is that much of an issue? Your machine should be secure
enough to not allow anyone but the user FreeSWITCH is running as read
the configs in the first place. I'm not even that paranoid Razz

/b

On Oct 20, 2008, at 9:09 AM, Peter P GMX wrote:


Quote:
Thanks,

I got it for the directory password (a1-hash).

But what about the voicemail-password and the passwords stored for
external gateways?

Best regards
Peter



_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org



_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Back to top
Prometheus001 at gmx.net
Guest





PostPosted: Mon Oct 20, 2008 4:55 pm    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

I think we can agree that the more passwords are available in clear text
the more problems we will have if a system is compromized. Therefore
it's common practise to not store passwords in clear text. In our case
we use xml-curl to store the directory data in a database for a
distributed freeswitch network. I simply try to avoid having a database
with clear text passwords. VM-Passwords may not be a bigger problem, but
gateway passwords and conference pins are.

One way is of course to encrypt the passwords with e.g. OpenSSL/RSA,
store it the database and decrypt it on the fly when it is needed. This
moves the security implementation to the application side with some
backdraws, as passwords can be retrieved with the decryption key and
passwords are transferred through the network (of course via SSL) and
the passwords are in the logs. This is how we do it for the time being.
Another idea, as I propose, is not to store the passwords but hashes.

To be honest: I do not understand this discussion. It would be wise to
store passwords in an encrypted way. I have seen compromized servers on
the client's side in the last years and security threats will even
increase in the future. The more we protect our sensible data the safer
the system will be for the future. There is a growing number of
companies in Germany (even the very big ones as Deutsche Telecom) who
recently had to tell their customers that a huge amount of sensible data
was lost.

I am not asking for doing it right now, but I would love to have it
somehow on the roadmap for the future.

Best regards
Peter

Kristian Kielhofner schrieb:
Quote:
On 10/20/08, Peter P GMX <Prometheus001@gmx.net> wrote:

Quote:
Hello Brian,

i have learned im my life that any server can be compromized if anyone
uses enough effort to hack it. Thus I simply try to prevent storing
passwords in clear text.
I am actually trying to setup a secure system with TLS/SRTP and handling
clear text passwords didn't really fit into this concept.

Best regards
Peter


If your server is compromised and they can read your config files they
can read the file store, db, etc and have access to everything (VM?)
that pin would have access to.



_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Back to top
kkielhofner at star2st...
Guest





PostPosted: Mon Oct 20, 2008 4:56 pm    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

On 10/20/08, Peter P GMX <Prometheus001@gmx.net> wrote:
Quote:
Hello Brian,

i have learned im my life that any server can be compromized if anyone
uses enough effort to hack it. Thus I simply try to prevent storing
passwords in clear text.
I am actually trying to setup a secure system with TLS/SRTP and handling
clear text passwords didn't really fit into this concept.

Best regards
Peter

If your server is compromised and they can read your config files they
can read the file store, db, etc and have access to everything (VM?)
that pin would have access to.

--
Kristian Kielhofner
http://blog.krisk.org
http://www.submityoursip.com
http://www.astlinux.org
http://www.star2star.com

_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Back to top
anthony.minessale at g...
Guest





PostPosted: Mon Oct 20, 2008 6:28 pm    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

if you want to test latest trunk i added code that *should* let you auth the vm using the same
a1-hash also we added an "md5" api command to mod_commands so you can use it in your own apps.

${md5(some data)}



On Mon, Oct 20, 2008 at 4:43 PM, Peter P GMX <Prometheus001@gmx.net (Prometheus001@gmx.net)> wrote:
Quote:
I think we can agree that the more passwords are available in clear text
the more problems we will have if a system is compromized. Therefore
it's common practise to not store passwords in clear text. In our case
we use xml-curl to store the directory data in a database for a
distributed freeswitch network. I simply try to avoid having a database
with clear text passwords. VM-Passwords may not be a bigger problem, but
gateway passwords and conference pins are.

One way is of course to encrypt the passwords with e.g. OpenSSL/RSA,
store it the database and decrypt it on the fly when it is needed. This
moves the security implementation to the application side with some
backdraws, as passwords can be retrieved with the decryption key and
passwords are transferred through the network (of course via SSL) and
the passwords are in the logs. This is how we do it for the time being.
Another idea, as I propose, is not to store the passwords but hashes.

To be honest: I do not understand this discussion. It would be wise to
store passwords in an encrypted way. I have seen compromized servers on
the client's side in the last years and security threats will even
increase in the future. The more we protect our sensible data the safer
the system will be for the future. There is a growing number of
companies in Germany (even the very big ones as Deutsche Telecom) who
recently had to tell their customers that a huge amount of sensible data
was lost.

I am not asking for doing it right now, but I would love to have it
somehow on the roadmap for the future.

Best regards
Peter

Kristian Kielhofner schrieb:
Quote:
On 10/20/08, Peter P GMX <Prometheus001@gmx.net (Prometheus001@gmx.net)> wrote:

Quote:
Hello Brian,

i have learned im my life that any server can be compromized if anyone
uses enough effort to hack it. Thus I simply try to prevent storing
passwords in clear text.
I am actually trying to setup a secure system with TLS/SRTP and handling
clear text passwords didn't really fit into this concept.

Best regards
Peter


If your server is compromised and they can read your config files they
can read the file store, db, etc and have access to everything (VM?)
that pin would have access to.





_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org (Freeswitch-users@lists.freeswitch.org)
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org





--
Anthony Minessale II

FreeSWITCH http://www.freeswitch.org/
ClueCon http://www.cluecon.com/

AIM: anthm
MSN:anthony_minessale@hotmail.com ([email]MSN%3Aanthony_minessale@hotmail.com[/email])
GTALK/JABBER/PAYPAL:anthony.minessale@gmail.com ([email]PAYPAL%3Aanthony.minessale@gmail.com[/email])
IRC: irc.freenode.net #freeswitch

FreeSWITCH Developer Conference
sip:888@conference.freeswitch.org ([email]sip%3A888@conference.freeswitch.org[/email])
iax:guest@conference.freeswitch.org/888
googletalk:conf+888@conference.freeswitch.org ([email]googletalk%3Aconf%2B888@conference.freeswitch.org[/email])
pstn:213-799-1400
Back to top
mike at jerris.com
Guest





PostPosted: Mon Oct 20, 2008 6:51 pm    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

just added vm-a1-hash as well that you can use to override the
standard a1 hash for voicemail use only.

Mike


On Oct 20, 2008, at 7:27 PM, Anthony Minessale wrote:

Quote:
if you want to test latest trunk i added code that *should* let you
auth the vm using the same
a1-hash also we added an "md5" api command to mod_commands so you
can use it in your own apps.

${md5(some data)}


_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Back to top
mitch.capper at gmail.com
Guest





PostPosted: Mon Oct 20, 2008 6:57 pm    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

Certainly offering support for hashed passwords has benefits and as you mentioned can be done using something other than the flat file XML directory format and decoding on the fly. I think one reason it hasn't been looked at as a major issue yet is voicemail and conference passwords are generally only numbers so they can be dialed over a phone, even an 8 digit password is 10^8 combination which is not a whole lot of hashes to brute force, so compromising even one way passwords would not be a major feat. It may deter a compromised machine from giving up its secrets but it certainly is a very narrow frame of protection.

~Mitch
On Mon, Oct 20, 2008 at 5:43 PM, Peter P GMX <Prometheus001@gmx.net (Prometheus001@gmx.net)> wrote:
Quote:
I think we can agree that the more passwords are available in clear text
the more problems we will have if a system is compromized. Therefore
it's common practise to not store passwords in clear text. In our case
we use xml-curl to store the directory data in a database for a
distributed freeswitch network. I simply try to avoid having a database
with clear text passwords. VM-Passwords may not be a bigger problem, but
gateway passwords and conference pins are.

One way is of course to encrypt the passwords with e.g. OpenSSL/RSA,
store it the database and decrypt it on the fly when it is needed. This
moves the security implementation to the application side with some
backdraws, as passwords can be retrieved with the decryption key and
passwords are transferred through the network (of course via SSL) and
the passwords are in the logs. This is how we do it for the time being.
Another idea, as I propose, is not to store the passwords but hashes.

To be honest: I do not understand this discussion. It would be wise to
store passwords in an encrypted way. I have seen compromized servers on
the client's side in the last years and security threats will even
increase in the future. The more we protect our sensible data the safer
the system will be for the future. There is a growing number of
companies in Germany (even the very big ones as Deutsche Telecom) who
recently had to tell their customers that a huge amount of sensible data
was lost.

I am not asking for doing it right now, but I would love to have it
somehow on the roadmap for the future.

Best regards
Peter

Kristian Kielhofner schrieb:
Quote:
On 10/20/08, Peter P GMX <Prometheus001@gmx.net (Prometheus001@gmx.net)> wrote:

Quote:
Hello Brian,

i have learned im my life that any server can be compromized if anyone
uses enough effort to hack it. Thus I simply try to prevent storing
passwords in clear text.
I am actually trying to setup a secure system with TLS/SRTP and handling
clear text passwords didn't really fit into this concept.

Best regards
Peter


If your server is compromised and they can read your config files they
can read the file store, db, etc and have access to everything (VM?)
that pin would have access to.





_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org (Freeswitch-users@lists.freeswitch.org)
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org


Back to top
anthony.minessale at g...
Guest





PostPosted: Mon Oct 20, 2008 7:23 pm    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

especially if you are not using srtp and you can just sniff the dtmf =D


On Mon, Oct 20, 2008 at 6:29 PM, Mitch Capper <mitch.capper@gmail.com (mitch.capper@gmail.com)> wrote:
Quote:
Certainly offering support for hashed passwords has benefits and as you mentioned can be done using something other than the flat file XML directory format and decoding on the fly. I think one reason it hasn't been looked at as a major issue yet is voicemail and conference passwords are generally only numbers so they can be dialed over a phone, even an 8 digit password is 10^8 combination which is not a whole lot of hashes to brute force, so compromising even one way passwords would not be a major feat. It may deter a compromised machine from giving up its secrets but it certainly is a very narrow frame of protection.

~Mitch

On Mon, Oct 20, 2008 at 5:43 PM, Peter P GMX <Prometheus001@gmx.net (Prometheus001@gmx.net)> wrote:
Quote:
I think we can agree that the more passwords are available in clear text
the more problems we will have if a system is compromized. Therefore
it's common practise to not store passwords in clear text. In our case
we use xml-curl to store the directory data in a database for a
distributed freeswitch network. I simply try to avoid having a database
with clear text passwords. VM-Passwords may not be a bigger problem, but
gateway passwords and conference pins are.

One way is of course to encrypt the passwords with e.g. OpenSSL/RSA,
store it the database and decrypt it on the fly when it is needed. This
moves the security implementation to the application side with some
backdraws, as passwords can be retrieved with the decryption key and
passwords are transferred through the network (of course via SSL) and
the passwords are in the logs. This is how we do it for the time being.
Another idea, as I propose, is not to store the passwords but hashes.

To be honest: I do not understand this discussion. It would be wise to
store passwords in an encrypted way. I have seen compromized servers on
the client's side in the last years and security threats will even
increase in the future. The more we protect our sensible data the safer
the system will be for the future. There is a growing number of
companies in Germany (even the very big ones as Deutsche Telecom) who
recently had to tell their customers that a huge amount of sensible data
was lost.

I am not asking for doing it right now, but I would love to have it
somehow on the roadmap for the future.

Best regards
Peter

Kristian Kielhofner schrieb:
Quote:
On 10/20/08, Peter P GMX <Prometheus001@gmx.net (Prometheus001@gmx.net)> wrote:

Quote:
Hello Brian,

i have learned im my life that any server can be compromized if anyone
uses enough effort to hack it. Thus I simply try to prevent storing
passwords in clear text.
I am actually trying to setup a secure system with TLS/SRTP and handling
clear text passwords didn't really fit into this concept.

Best regards
Peter


If your server is compromised and they can read your config files they
can read the file store, db, etc and have access to everything (VM?)
that pin would have access to.





_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org (Freeswitch-users@lists.freeswitch.org)
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org








_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org (Freeswitch-users@lists.freeswitch.org)
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org




--
Anthony Minessale II

FreeSWITCH http://www.freeswitch.org/
ClueCon http://www.cluecon.com/

AIM: anthm
MSN:anthony_minessale@hotmail.com ([email]MSN%3Aanthony_minessale@hotmail.com[/email])
GTALK/JABBER/PAYPAL:anthony.minessale@gmail.com ([email]PAYPAL%3Aanthony.minessale@gmail.com[/email])
IRC: irc.freenode.net #freeswitch

FreeSWITCH Developer Conference
sip:888@conference.freeswitch.org ([email]sip%3A888@conference.freeswitch.org[/email])
iax:guest@conference.freeswitch.org/888
googletalk:conf+888@conference.freeswitch.org ([email]googletalk%3Aconf%2B888@conference.freeswitch.org[/email])
pstn:213-799-1400
Back to top
Prometheus001 at gmx.net
Guest





PostPosted: Tue Oct 21, 2008 4:14 pm    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

Thanks for your support for the vm-passwords.

The most important part for us however is having hashed passwords for
external gateway definitions (we have a lot) and securing pins for
conferences.
Do we have a chance to add this also?

In our environment DTMF is of course transported via SRTP so this is
more secure (although the key exchange by SDES is known to have security
issues, as rtp streams may be replayed by a 3rd party, there is no
replay prevention mechanism in SDES and therefore also not in
freeswitch, hein?).

Best regards
Peter

Michael Jerris schrieb:
Quote:
just added vm-a1-hash as well that you can use to override the
standard a1 hash for voicemail use only.

Mike


On Oct 20, 2008, at 7:27 PM, Anthony Minessale wrote:


Quote:
if you want to test latest trunk i added code that *should* let you
auth the vm using the same
a1-hash also we added an "md5" api command to mod_commands so you
can use it in your own apps.

${md5(some data)}



_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org



_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Back to top
brian at freeswitch.org
Guest





PostPosted: Tue Oct 21, 2008 4:44 pm    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

Its called TLS...

/b

On Oct 21, 2008, at 4:30 PM, Peter P GMX wrote:

Quote:
In our environment DTMF is of course transported via SRTP so this is
more secure (although the key exchange by SDES is known to have
security
issues, as rtp streams may be replayed by a 3rd party, there is no
replay prevention mechanism in SDES and therefore also not in
freeswitch, hein?).


_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Back to top
anthony.minessale at g...
Guest





PostPosted: Tue Oct 21, 2008 4:59 pm    Post subject: [Freeswitch-users] Passwords in clear text Reply with quote

the sofia library we depend on requires you to feed it plain passwords for outbound auth.
We would have to pressure them to expose a way for us to pre-hash them.

As an alternative, you can always use xml-curl + https url to fetch the configs from your db on the fly over a secure
connection but that won't stop the hacker from running gcore on fs and finding them in the ram somewhere just like if someone wants to break into your house he can just take a chainsaw and cut a hole in the side and walk in.
I'll ask the guy next time i talk to him.



On Tue, Oct 21, 2008 at 3:30 PM, Peter P GMX <Prometheus001@gmx.net (Prometheus001@gmx.net)> wrote:
Quote:
Thanks for your support for the vm-passwords.

The most important part for us however is having hashed passwords for
external gateway definitions (we have a lot) and securing pins for
conferences.
Do we have a chance to add this also?

In our environment DTMF is of course transported via SRTP so this is
more secure (although the key exchange by SDES is known to have security
issues, as rtp streams may be replayed by a 3rd party, there is no
replay prevention mechanism in SDES and therefore also not in
freeswitch, hein?).

Best regards
Peter

Michael Jerris schrieb:

Quote:
just added vm-a1-hash as well that you can use to override the
standard a1 hash for voicemail use only.

Mike


On Oct 20, 2008, at 7:27 PM, Anthony Minessale wrote:


Quote:
if you want to test latest trunk i added code that *should* let you
auth the vm using the same
a1-hash also we added an "md5" api command to mod_commands so you
can use it in your own apps.

${md5(some data)}



_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org (Freeswitch-users@lists.freeswitch.org)
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org



_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org (Freeswitch-users@lists.freeswitch.org)
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org





--
Anthony Minessale II

FreeSWITCH http://www.freeswitch.org/
ClueCon http://www.cluecon.com/

AIM: anthm
MSN:anthony_minessale@hotmail.com ([email]MSN%3Aanthony_minessale@hotmail.com[/email])
GTALK/JABBER/PAYPAL:anthony.minessale@gmail.com ([email]PAYPAL%3Aanthony.minessale@gmail.com[/email])
IRC: irc.freenode.net #freeswitch

FreeSWITCH Developer Conference
sip:888@conference.freeswitch.org ([email]sip%3A888@conference.freeswitch.org[/email])
iax:guest@conference.freeswitch.org/888
googletalk:conf+888@conference.freeswitch.org ([email]googletalk%3Aconf%2B888@conference.freeswitch.org[/email])
pstn:213-799-1400
Back to top
Display posts from previous:   
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> freeSWITCH Users All times are GMT - 5 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

VoiceMeUp - Corporate & Wholesale VoIP Services