Hi; I want to remove all plain text usernames an passwords from kamailio.cfg file. Like modparam("auth_db", "db_url", "dbdriver://username:password @dbhost/dbname") or this modparam("sqlops","sqlcon","ca=>dbdriver://username:password @dbhost/dbname") Can you help me with some ideas of how can I handle that? Thank you.
Don't use databases. Create an API and use it to access the data you need. Won't work for every possible usage, but in general API-driven SIP-routing is very possible with Kamailio, especially with KEMI.
ср, 18 нояб. 2020 г. в 11:32, Ahmed Marsou amarsou1988@gmail.com:
Hi; I want to remove all plain text usernames an passwords from kamailio.cfg file. Like modparam("auth_db", "db_url", "dbdriver://username:password @dbhost/dbname") or this modparam("sqlops","sqlcon","ca=>dbdriver://username:password @dbhost/dbname") Can you help me with some ideas of how can I handle that? Thank you. _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Alternative way is to use unixodbc, but it just means you put the password into another file.
ср, 18 нояб. 2020 г. в 14:35, Alexandru Covalschi 568691@gmail.com:
Don't use databases. Create an API and use it to access the data you need. Won't work for every possible usage, but in general API-driven SIP-routing is very possible with Kamailio, especially with KEMI.
ср, 18 нояб. 2020 г. в 11:32, Ahmed Marsou amarsou1988@gmail.com:
Hi; I want to remove all plain text usernames an passwords from kamailio.cfg file. Like modparam("auth_db", "db_url", "dbdriver://username:password @dbhost/dbname") or this modparam("sqlops","sqlcon","ca=>dbdriver://username:password @dbhost/dbname") Can you help me with some ideas of how can I handle that? Thank you. _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
I just get the params from AWS Parameter Store and pass it to Kamailio on startup. Downsize is you can see them in “ps”.
On Wed, 18 Nov 2020 at 12:40, Alexandru Covalschi 568691@gmail.com wrote:
Alternative way is to use unixodbc, but it just means you put the password into another file.
ср, 18 нояб. 2020 г. в 14:35, Alexandru Covalschi 568691@gmail.com:
Don't use databases. Create an API and use it to access the data you need. Won't work for every possible usage, but in general API-driven SIP-routing is very possible with Kamailio, especially with KEMI.
ср, 18 нояб. 2020 г. в 11:32, Ahmed Marsou amarsou1988@gmail.com:
Hi; I want to remove all plain text usernames an passwords from kamailio.cfg file. Like modparam("auth_db", "db_url", "dbdriver://username:password @dbhost/dbname") or this modparam("sqlops","sqlcon","ca=>dbdriver://username:password @dbhost/dbname") Can you help me with some ideas of how can I handle that? Thank you. _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Thank you so much, David and Alexandru. I'm not sure but i read something about reading the config from my.cnf
http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
The problem is that my.cnf, have 600 permission and I'm running kamailio with user kamailio, so the question is, There is a way to read this file as root on startup but run kamailio as kamailio? The option AWS Parameter Store, is something related to amazon, right?
Tank you so much.
El mié., 18 nov. 2020 a las 15:29, David Villasmil (< david.villasmil.work@gmail.com>) escribió:
I just get the params from AWS Parameter Store and pass it to Kamailio on startup. Downsize is you can see them in “ps”.
On Wed, 18 Nov 2020 at 12:40, Alexandru Covalschi 568691@gmail.com wrote:
Alternative way is to use unixodbc, but it just means you put the password into another file.
ср, 18 нояб. 2020 г. в 14:35, Alexandru Covalschi 568691@gmail.com:
Don't use databases. Create an API and use it to access the data you need. Won't work for every possible usage, but in general API-driven SIP-routing is very possible with Kamailio, especially with KEMI.
ср, 18 нояб. 2020 г. в 11:32, Ahmed Marsou amarsou1988@gmail.com:
Hi; I want to remove all plain text usernames an passwords from kamailio.cfg file. Like modparam("auth_db", "db_url", "dbdriver:// username:password@dbhost/dbname") or this modparam("sqlops","sqlcon","ca=>dbdriver://username:password @dbhost/dbname") Can you help me with some ideas of how can I handle that? Thank you. _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Sure, as root, read the file and start Kamailio with -u kamailio -g kamailio
On Wed, 18 Nov 2020 at 14:50, Ahmed Marsou amarsou1988@gmail.com wrote:
Thank you so much, David and Alexandru. I'm not sure but i read something about reading the config from my.cnf
http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
The problem is that my.cnf, have 600 permission and I'm running kamailio with user kamailio, so the question is, There is a way to read this file as root on startup but run kamailio as kamailio? The option AWS Parameter Store, is something related to amazon, right?
Tank you so much.
El mié., 18 nov. 2020 a las 15:29, David Villasmil (< david.villasmil.work@gmail.com>) escribió:
I just get the params from AWS Parameter Store and pass it to Kamailio on startup. Downsize is you can see them in “ps”.
On Wed, 18 Nov 2020 at 12:40, Alexandru Covalschi 568691@gmail.com wrote:
Alternative way is to use unixodbc, but it just means you put the password into another file.
ср, 18 нояб. 2020 г. в 14:35, Alexandru Covalschi 568691@gmail.com:
Don't use databases. Create an API and use it to access the data you need. Won't work for every possible usage, but in general API-driven SIP-routing is very possible with Kamailio, especially with KEMI.
ср, 18 нояб. 2020 г. в 11:32, Ahmed Marsou amarsou1988@gmail.com:
Hi; I want to remove all plain text usernames an passwords from kamailio.cfg file. Like modparam("auth_db", "db_url", "dbdriver:// username:password@dbhost/dbname") or this modparam("sqlops","sqlcon","ca=>dbdriver://username:password @dbhost/dbname") Can you help me with some ideas of how can I handle that? Thank you. _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
It is an interesting proposal to find a way for Kamailio to fetch external credentials in run-time, not having them in clear text in config files. Like integration with hashicorp vault or something.
/O
On 18 Nov 2020, at 15:50, Ahmed Marsou amarsou1988@gmail.com wrote:
Thank you so much, David and Alexandru. I'm not sure but i read something about reading the config from my.cnf
http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419 http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
The problem is that my.cnf, have 600 permission and I'm running kamailio with user kamailio, so the question is, There is a way to read this file as root on startup but run kamailio as kamailio? The option AWS Parameter Store, is something related to amazon, right?
Tank you so much.
El mié., 18 nov. 2020 a las 15:29, David Villasmil (<david.villasmil.work@gmail.com mailto:david.villasmil.work@gmail.com>) escribió: I just get the params from AWS Parameter Store and pass it to Kamailio on startup. Downsize is you can see them in “ps”.
On Wed, 18 Nov 2020 at 12:40, Alexandru Covalschi <568691@gmail.com mailto:568691@gmail.com> wrote: Alternative way is to use unixodbc, but it just means you put the password into another file.
ср, 18 нояб. 2020 г. в 14:35, Alexandru Covalschi <568691@gmail.com mailto:568691@gmail.com>: Don't use databases. Create an API and use it to access the data you need. Won't work for every possible usage, but in general API-driven SIP-routing is very possible with Kamailio, especially with KEMI.
ср, 18 нояб. 2020 г. в 11:32, Ahmed Marsou <amarsou1988@gmail.com mailto:amarsou1988@gmail.com>: Hi; I want to remove all plain text usernames an passwords from kamailio.cfg file. Like modparam("auth_db", "db_url", "dbdriver://username:password@dbhost/dbname") or this modparam("sqlops","sqlcon","ca=>dbdriver://username:password@dbhost/dbname") Can you help me with some ideas of how can I handle that? Thank you. _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- Regards,
David Villasmil email: david.villasmil.work@gmail.com mailto:david.villasmil.work@gmail.com phone: +34669448337 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Yes, in fact using API is the better way, but I need time to do it. Finaly I add on kamailio.service a post and pre execution task that give rights just on strat process. Thank you so much to evrybody.
El jue, 19 nov 2020 a las 12:13, Olle E. Johansson (oej@edvina.net) escribió:
It is an interesting proposal to find a way for Kamailio to fetch external credentials in run-time, not having them in clear text in config files. Like integration with hashicorp vault or something.
/O
On 18 Nov 2020, at 15:50, Ahmed Marsou amarsou1988@gmail.com wrote:
Thank you so much, David and Alexandru. I'm not sure but i read something about reading the config from my.cnf
http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
The problem is that my.cnf, have 600 permission and I'm running kamailio with user kamailio, so the question is, There is a way to read this file as root on startup but run kamailio as kamailio? The option AWS Parameter Store, is something related to amazon, right?
Tank you so much.
El mié., 18 nov. 2020 a las 15:29, David Villasmil (< david.villasmil.work@gmail.com>) escribió:
I just get the params from AWS Parameter Store and pass it to Kamailio on startup. Downsize is you can see them in “ps”.
On Wed, 18 Nov 2020 at 12:40, Alexandru Covalschi 568691@gmail.com wrote:
Alternative way is to use unixodbc, but it just means you put the password into another file.
ср, 18 нояб. 2020 г. в 14:35, Alexandru Covalschi 568691@gmail.com:
Don't use databases. Create an API and use it to access the data you need. Won't work for every possible usage, but in general API-driven SIP-routing is very possible with Kamailio, especially with KEMI.
ср, 18 нояб. 2020 г. в 11:32, Ahmed Marsou amarsou1988@gmail.com:
Hi; I want to remove all plain text usernames an passwords from kamailio.cfg file. Like modparam("auth_db", "db_url", "dbdriver:// username:password@dbhost/dbname") or this modparam("sqlops","sqlcon","ca=>dbdriver://username:password @dbhost/dbname") Can you help me with some ideas of how can I handle that? Thank you. _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
One alternative is to pass user/password via environment variables and then use #!substdef in configuration file, with the replacement using the corresponding $env(...) variables.
If the goal is protecting the configuration file content in long term against being read in the future, two other options:
- remove kamailio.cfg after starting kamailio, it is not needed at runtime
- encrypt kamailio.cfg and pipe its decrypted content to kamailio at startup, like:
decryptapp kamailio-encrypted.cfg | kamailio -f - ...
Cheers, Daniel
On 18.11.20 15:27, David Villasmil wrote:
I just get the params from AWS Parameter Store and pass it to Kamailio on startup. Downsize is you can see them in “ps”.
On Wed, 18 Nov 2020 at 12:40, Alexandru Covalschi <568691@gmail.com mailto:568691@gmail.com> wrote:
Alternative way is to use unixodbc, but it just means you put the password into another file. ср, 18 нояб. 2020 г. в 14:35, Alexandru Covalschi <568691@gmail.com <mailto:568691@gmail.com>>: Don't use databases. Create an API and use it to access the data you need. Won't work for every possible usage, but in general API-driven SIP-routing is very possible with Kamailio, especially with KEMI. ср, 18 нояб. 2020 г. в 11:32, Ahmed Marsou <amarsou1988@gmail.com <mailto:amarsou1988@gmail.com>>: Hi; I want to remove all plain text usernames an passwords from kamailio.cfg file. Like modparam("auth_db", "db_url", "dbdriver://username:password@dbhost/dbname") or this modparam("sqlops","sqlcon","ca=>dbdriver://username:password@dbhost/dbname") Can you help me with some ideas of how can I handle that? Thank you. _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users> -- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493 -- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>-- Regards,
David Villasmil email: david.villasmil.work@gmail.com mailto:david.villasmil.work@gmail.com phone: +34669448337
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On 18.11.20 16:45, Daniel-Constantin Mierla wrote:
One alternative is to pass user/password via environment variables and then use #!substdef in configuration file, with the replacement using the corresponding $env(...) variables.
If the goal is protecting the configuration file content in long term against being read in the future, two other options:
- remove kamailio.cfg after starting kamailio, it is not needed at runtime
Obviously, instead of removing, the permissions kamailio.cfg can be changed after starting kamailio -- adding this after seeing in another message being mentioned the option with mysql my.cfg, user/password is in a local file anyhow.
Cheers, Daniel
- encrypt kamailio.cfg and pipe its decrypted content to kamailio at startup, like:
decryptapp kamailio-encrypted.cfg | kamailio -f - ...
Cheers, Daniel
On 18.11.20 15:27, David Villasmil wrote:
I just get the params from AWS Parameter Store and pass it to Kamailio on startup. Downsize is you can see them in “ps”.
On Wed, 18 Nov 2020 at 12:40, Alexandru Covalschi <568691@gmail.com mailto:568691@gmail.com> wrote:
Alternative way is to use unixodbc, but it just means you put the password into another file. ср, 18 нояб. 2020 г. в 14:35, Alexandru Covalschi <568691@gmail.com <mailto:568691@gmail.com>>: Don't use databases. Create an API and use it to access the data you need. Won't work for every possible usage, but in general API-driven SIP-routing is very possible with Kamailio, especially with KEMI. ср, 18 нояб. 2020 г. в 11:32, Ahmed Marsou <amarsou1988@gmail.com <mailto:amarsou1988@gmail.com>>: Hi; I want to remove all plain text usernames an passwords from kamailio.cfg file. Like modparam("auth_db", "db_url", "dbdriver://username:password@dbhost/dbname") or this modparam("sqlops","sqlcon","ca=>dbdriver://username:password@dbhost/dbname") Can you help me with some ideas of how can I handle that? Thank you. _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users> -- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493 -- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>-- Regards,
David Villasmil email: david.villasmil.work@gmail.com mailto:david.villasmil.work@gmail.com phone: +34669448337
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla
Yes, Im agree that anyhow it will be on local, but only root user have the right to read this file. So how can I change the permission of my.cnf file to be able to read it from kamailio only when I start or reboot? Thank you.
El mié., 18 nov. 2020 17:18, Daniel-Constantin Mierla miconda@gmail.com escribió:
On 18.11.20 16:45, Daniel-Constantin Mierla wrote:
One alternative is to pass user/password via environment variables and then use #!substdef in configuration file, with the replacement using the corresponding $env(...) variables.
If the goal is protecting the configuration file content in long term against being read in the future, two other options:
- remove kamailio.cfg after starting kamailio, it is not needed at
runtime
Obviously, instead of removing, the permissions kamailio.cfg can be changed after starting kamailio -- adding this after seeing in another message being mentioned the option with mysql my.cfg, user/password is in a local file anyhow.
Cheers, Daniel
- encrypt kamailio.cfg and pipe its decrypted content to kamailio at
startup, like:
decryptapp kamailio-encrypted.cfg | kamailio -f - ...
Cheers, Daniel On 18.11.20 15:27, David Villasmil wrote:
I just get the params from AWS Parameter Store and pass it to Kamailio on startup. Downsize is you can see them in “ps”.
On Wed, 18 Nov 2020 at 12:40, Alexandru Covalschi 568691@gmail.com wrote:
Alternative way is to use unixodbc, but it just means you put the password into another file.
ср, 18 нояб. 2020 г. в 14:35, Alexandru Covalschi 568691@gmail.com:
Don't use databases. Create an API and use it to access the data you need. Won't work for every possible usage, but in general API-driven SIP-routing is very possible with Kamailio, especially with KEMI.
ср, 18 нояб. 2020 г. в 11:32, Ahmed Marsou amarsou1988@gmail.com:
Hi; I want to remove all plain text usernames an passwords from kamailio.cfg file. Like modparam("auth_db", "db_url", "dbdriver:// username:password@dbhost/dbname") or this modparam("sqlops","sqlcon","ca=>dbdriver://username:password @dbhost/dbname") Can you help me with some ideas of how can I handle that? Thank you. _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
-- Alexandru Covalschi VoIP engineer and system administrator tel: +37367398493
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
Kamailio (SER) - Users Mailing Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla
-- Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-
Ahmed Marsou -
Alexandru Covalschi -
Daniel-Constantin Mierla -
David Villasmil -
Olle E. Johansson