Hello Daniel,
I did think of this, but yes, that’s exactly my problem. Penetration testing will
highlight any and all tricks I might employ, definitely looking like we're going to
need to do extend Kamailio somehow. If we can do it in a way that isn’t internally
sensitive, I’ll propose we create a pull request, maybe help someone else in the future?
Cheers - Robert...
On 16 Nov 2017, at 09:34, Daniel Tryba
<d.tryba(a)pocos.nl> wrote:
On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
> I???m working for a UK high street bank and
our Kamailio implementation has been challenged because we???ve got database passwords
held in clear in the configuration file.
...
My
requirement is simple, I need to be able to supply a password via means such as loading a
variable from a run-once script at start up, or a module. The ideal would be to be able to
read in a Docker secret :)
you can define a for a token to be used inside kamailio.cfg by using -A
command line parameter. So when you start kamailio, fetch the password
from your secure system by what so ever meaning, then build the database
url based on it and run kamailio with:
kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
My guess is the next problem will be the password being visible to all
users querying the processlist :)
Is including a file (import_file) with passwords an option? Generate the
file just before startup, remove it (ofcourse in a secure way (shred the
file and overwrite all freespace with a multiple patters a few dozen
times (ask the auditors for the exact specifications that make them
happy))) after kamailio is running.
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users