Jump to content

Security


natedev

Recommended Posts

I've noticed that all the extension passwords (website, SIP, and PINs) are stored in clear text on the pbxnsip server. I'd like to suggest that you store a hash of the website and PIN passwords. I know the SIP password has to be able to be transmitted to the phones. It could use a reversible encryption.

Link to comment
Share on other sites

I've noticed that all the extension passwords (website, SIP, and PINs) are stored in clear text on the pbxnsip server. I'd like to suggest that you store a hash of the website and PIN passwords. I know the SIP password has to be able to be transmitted to the phones. It could use a reversible encryption.

 

We thought about that also. However, when you change a domain name or change one of the alias names than a hash would not work any more. Encrypting it with a hardcoded key only "obscures" the passwords (until someone gets the bit secret out of the code). Encrypting it using the private key of the PBX (used for TLS) would be a possibility.

 

At least the sys admin login uses a hash for the password!

 

And of course, file system access should be strict. This is not a public area.

Link to comment
Share on other sites

We thought about that also. However, when you change a domain name or change one of the alias names than a hash would not work any more. Encrypting it with a hardcoded key only "obscures" the passwords (until someone gets the bit secret out of the code). Encrypting it using the private key of the PBX (used for TLS) would be a possibility.

 

At least the sys admin login uses a hash for the password!

 

And of course, file system access should be strict. This is not a public area.

 

If you're storing a hash (like a simple MD5) of the user's web password and PIN, I wouldn't expect the hash to break if the alias or domain name is changed so long as you don't use the alias or domain name to calculate the has.

Link to comment
Share on other sites

If you're storing a hash (like a simple MD5) of the user's web password and PIN, I wouldn't expect the hash to break if the alias or domain name is changed so long as you don't use the alias or domain name to calculate the has.

 

Well the problem is when the user decides to change the username you cannot generate a new hash. If we are using the hash method we have to request users to re-enter their passwords.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...