I was wondering if we could protect against both. Sending a password encrypted would protect against eavesdropping. Once the password has been received, the hash of it is taken and compared with the hash of the password saved, so it also takes care of a local attacker.
I could certainly use SSL/TLS, but that still doesn't take care of a local attack to obtain the passwords of the users. Thanks Jez --- Tzafrir Cohen <[EMAIL PROTECTED]> wrote: > On Mon, Nov 27, 2006 at 05:12:19PM -0800, jezzzz . > wrote: > > Thanks for the response Tzafrir. I meant > > voicemail.conf for the passwords of course - my > > mistake. Trying to ensure that if voicemail.conf > is > > opened by an attacker that all the passwords are > not > > readily available. By hashing them or encrypting > them > > in a DB it's going to be much harder for an > attacker > > to obtain access to the passwords. > > > > The only way to encrypt the sending of passwords > to > > the voicemail is by using SIP-TLS? > > Those are two conflicting goals. If you only save a > hash of the > passowrd, as in /etc/shadow, you cannot reproduce > the original password > from it in order to calculate "similar" hashes for > chalange-and-response > authentication. > > So do you want to protect from an eves-dropper or > from a local attacker? > Anyway, at the current state of afairs, you get > basically nothing. > > > (which is not yet > > in production stage?). > > If we leave development issues aside and look at > things you can use now: > use stunnel to provide SSL/TLS support for it? ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
