Hello,
I’m working for a UK high street bank and our Kamailio implementation has been challenged because we’ve got database passwords held in clear in the configuration file.
I am unable to find any examples of where this has been worked around, there doesn’t seem to be any module or configuration means of supplying a variable in the modparam() entry that is expanded a startup. The security tutorials only seem to relate to the SIP level of security, not Kamailio as a platform.
My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
I am by no means a Kamailio expert, so apologies in advance if this is a mindblowingly basic thing to achieve, but I do feel I’ve exhausted the Kamailio documentation, wiki etc. and all the goodness Google usually has to offer and drawn a blank.
Sincere thanks in advance for any assistance.
Cheers - Robert...
Hello,
On 14.11.17 14:25, Robert wrote:
Hello,
I’m working for a UK high street bank and our Kamailio implementation has been challenged because we’ve got database passwords held in clear in the configuration file.
I am unable to find any examples of where this has been worked around, there doesn’t seem to be any module or configuration means of supplying a variable in the modparam() entry that is expanded a startup. The security tutorials only seem to relate to the SIP level of security, not Kamailio as a platform.
My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
I am by no means a Kamailio expert, so apologies in advance if this is a mindblowingly basic thing to achieve, but I do feel I’ve exhausted the Kamailio documentation, wiki etc. and all the goodness Google usually has to offer and drawn a blank.
Sincere thanks in advance for any assistance.
you can define a for a token to be used inside kamailio.cfg by using -A command line parameter. So when you start kamailio, fetch the password from your secure system by what so ever meaning, then build the database url based on it and run kamailio with:
kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
You may need to enclose in double quotes inside the single quotes, I am not sure at this moment, but sometime she shell 'eats' a pair of quotes, so just try with it if first fails ...
Cheers, Daniel
Thank you Daniel. This provides me with some capability, but I can’t seem to consume the result in the configuration, I just get lots of errors. The issue seems to be that the value of the define, passed via -A doesn’t seem to be processed in anyway.
I’ve had a quick look in the cfg.lex and cfg.y files, but that’s the first time delving into Flex etc. so I’m not sure I’m following it correctly.
I’ve tried every combination of encapsulation of the parameters in single and double quotes I can think of i.e. -A DBURL=“…”, -A “DBURL=…”, all with the same result.
I also tried #!subst "/DB_URL/DBURL/g” but that doesn’t seem to expand out the DBURL define.
In short, I’m stumped… Any further thoughts would be truly appreciated. I’ve put a few error details in the mail below. I’m feeling that I may need to resort to changing the behaviour of the subst directive to meet my needs (more likely, add substvar, substfromfile or some such).
Any further thoughts would be truly welcome, otherwise I think I’m going to have to dig out my dusty K&R book and roll my sleeves up… Sincere thanks in advance for any ideas.
Cheers - Robert...
-------------------------------------------------------------------------------------------------------------------------
In the configuration file, I have failures for example on:
modparam("htable", "db_url", DBURL)
when launched with the -A results in:
0(7) DEBUG: <core> [core/cfg.lex:1838]: pp_define_get(): ### returning define ID [DBURL] value [oracle://username:password@/DB oracle://username:password@/DB] 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: syntax error 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: Invalid arguments 0(7) CRITICAL: <core> [core/cfg.y:3434]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: ERROR: bad config file (3 errors)
I’ve tried with #!subst but it seems that pre-processor directive doesn’t expand out defines, so:
#!subst "/DB_URL/DBURL/g” modparam("htable", "db_url", DB_URL)
just results in:
0(7) INFO: <core> [core/ppcfg.c:82]: pp_subst_add(): ### added subst expression: /DB_URL/DBURL/g 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: syntax error 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: Invalid arguments 0(7) CRITICAL: <core> [core/cfg.y:3434]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: ERROR: bad config file (3 errors)
On 15 Nov 2017, at 07:46, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
On 14.11.17 14:25, Robert wrote:
Hello,
I’m working for a UK high street bank and our Kamailio implementation has been challenged because we’ve got database passwords held in clear in the configuration file.
I am unable to find any examples of where this has been worked around, there doesn’t seem to be any module or configuration means of supplying a variable in the modparam() entry that is expanded a startup. The security tutorials only seem to relate to the SIP level of security, not Kamailio as a platform.
My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
I am by no means a Kamailio expert, so apologies in advance if this is a mindblowingly basic thing to achieve, but I do feel I’ve exhausted the Kamailio documentation, wiki etc. and all the goodness Google usually has to offer and drawn a blank.
Sincere thanks in advance for any assistance.
you can define a for a token to be used inside kamailio.cfg by using -A command line parameter. So when you start kamailio, fetch the password from your secure system by what so ever meaning, then build the database url based on it and run kamailio with:
kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio mysql://user:passwd@dbhost/kamailio' ...
You may need to enclose in double quotes inside the single quotes, I am not sure at this moment, but sometime she shell 'eats' a pair of quotes, so just try with it if first fails ...
Cheers, Daniel
-- Daniel-Constantin Mierla www.twitter.com/miconda http://www.twitter.com/miconda -- www.linkedin.com/in/miconda http://www.linkedin.com/in/miconda Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - www.asipto.com http://www.asipto.com/ Kamailio World Conference - www.kamailioworld.com http://www.kamailioworld.com/
On 15.11.17 18:27, Robert wrote:
Thank you Daniel. This provides me with some capability, but I can’t seem to consume the result in the configuration, I just get lots of errors. The issue seems to be that the value of the define, passed via -A doesn’t seem to be processed in anyway.
I’ve had a quick look in the cfg.lex and cfg.y files, but that’s the first time delving into Flex etc. so I’m not sure I’m following it correctly.
I’ve tried every combination of encapsulation of the parameters in single and double quotes I can think of i.e. -A DBURL=“…”, -A “DBURL=…”, all with the same result.
Variants of the quoting was referring to the value of DBURL, maybe it was not clear ... Anyhow, I just tried and the next command starts kamailio with the default config:
./src/kamailio -f etc/kamailio.cfg -A WITH_MYSQL -A WITH_AUTH -A DBURL='"mysql://kamailio:kamailiorw@localhost/kamailio"' -L src/modules/ -a no -E -e -ddd
Note that the value for DBURL is enclosed first in between ' ' and then inside are " ".
Cheers, Daniel
I also tried #!subst "/DB_URL/DBURL/g” but that doesn’t seem to expand out the DBURL define.
In short, I’m stumped… Any further thoughts would be truly appreciated. I’ve put a few error details in the mail below. I’m feeling that I may need to resort to changing the behaviour of the subst directive to meet my needs (more likely, add substvar, substfromfile or some such).
Any further thoughts would be truly welcome, otherwise I think I’m going to have to dig out my dusty K&R book and roll my sleeves up… Sincere thanks in advance for any ideas.
Cheers - Robert...
In the configuration file, I have failures for example on:
modparam("htable", "db_url", DBURL)
when launched with the -A results in:
0(7) DEBUG: <core> [core/cfg.lex:1838]: pp_define_get(): ### returning define ID [DBURL] value [oracle://username:password@/DB] 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: syntax error 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: Invalid arguments 0(7) CRITICAL: <core> [core/cfg.y:3434]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: ERROR: bad config file (3 errors)
I’ve tried with #!subst but it seems that pre-processor directive doesn’t expand out defines, so:
#!subst "/DB_URL/DBURL/g” modparam("htable", "db_url", DB_URL)
just results in:
0(7) INFO: <core> [core/ppcfg.c:82]: pp_subst_add(): ### added subst expression: /DB_URL/DBURL/g 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1 0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: syntax error 0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: Invalid arguments 0(7) CRITICAL: <core> [core/cfg.y:3434]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: ERROR: bad config file (3 errors)
On 15 Nov 2017, at 07:46, Daniel-Constantin Mierla <miconda@gmail.com mailto:miconda@gmail.com> wrote:
Hello,
On 14.11.17 14:25, Robert wrote:
Hello,
I’m working for a UK high street bank and our Kamailio implementation has been challenged because we’ve got database passwords held in clear in the configuration file.
I am unable to find any examples of where this has been worked around, there doesn’t seem to be any module or configuration means of supplying a variable in the modparam() entry that is expanded a startup. The security tutorials only seem to relate to the SIP level of security, not Kamailio as a platform.
My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
I am by no means a Kamailio expert, so apologies in advance if this is a mindblowingly basic thing to achieve, but I do feel I’ve exhausted the Kamailio documentation, wiki etc. and all the goodness Google usually has to offer and drawn a blank.
Sincere thanks in advance for any assistance.
you can define a for a token to be used inside kamailio.cfg by using -A command line parameter. So when you start kamailio, fetch the password from your secure system by what so ever meaning, then build the database url based on it and run kamailio with:
kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
You may need to enclose in double quotes inside the single quotes, I am not sure at this moment, but sometime she shell 'eats' a pair of quotes, so just try with it if first fails ...
Cheers, Daniel
-- Daniel-Constantin Mierla www.twitter.com/miconda http://www.twitter.com/miconda -- www.linkedin.com/in/miconda http://www.linkedin.com/in/miconda Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - www.asipto.com http://www.asipto.com/ Kamailio World Conference - www.kamailioworld.com http://www.kamailioworld.com/
On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
I???m working for a UK high street bank and our Kamailio implementation has been challenged because we???ve got database passwords held in clear in the configuration file.
...
My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
you can define a for a token to be used inside kamailio.cfg by using -A command line parameter. So when you start kamailio, fetch the password from your secure system by what so ever meaning, then build the database url based on it and run kamailio with:
kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
My guess is the next problem will be the password being visible to all users querying the processlist :)
Is including a file (import_file) with passwords an option? Generate the file just before startup, remove it (ofcourse in a secure way (shred the file and overwrite all freespace with a multiple patters a few dozen times (ask the auditors for the exact specifications that make them happy))) after kamailio is running.
Hi,
Not sure that this helps, but below is how I solved similar issue by generating include file inside Docker file using env variables, but this is not a good approach for sensitive data.
echo "\modparam("http_client", "httpcon", "apiserver=>https://$apiurl%5C"); " >> /kamailio.apiurl
I believe you can use docker secrets, as described below, but I never used them so I can't help much:
https://medium.com/@basi/docker-environment-variables-expanded-from-secrets-...
With kind regards,
Jurijs
On Thu, Nov 16, 2017 at 11:34 AM, Daniel Tryba d.tryba@pocos.nl wrote:
On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
I???m working for a UK high street bank and our Kamailio
implementation has been challenged because we???ve got database passwords held in clear in the configuration file. ...
My requirement is simple, I need to be able to supply a password via
means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
you can define a for a token to be used inside kamailio.cfg by using -A command line parameter. So when you start kamailio, fetch the password from your secure system by what so ever meaning, then build the database url based on it and run kamailio with:
kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
My guess is the next problem will be the password being visible to all users querying the processlist :)
Is including a file (import_file) with passwords an option? Generate the file just before startup, remove it (ofcourse in a secure way (shred the file and overwrite all freespace with a multiple patters a few dozen times (ask the auditors for the exact specifications that make them happy))) after kamailio is running.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello Jurijs,
Thank you for the link, Docker secrets is definitely something that would be an option, and yes, holding anything in a variable or somewhere it can be easily queried isn’t going to work.
We’ll see what happens.
Cheers - Robert...
On 16 Nov 2017, at 10:41, Jurijs Ivolga jurijs.ivolga@gmail.com wrote:
Hi,
Not sure that this helps, but below is how I solved similar issue by generating include file inside Docker file using env variables, but this is not a good approach for sensitive data. echo "\ <>modparam("http_client", "httpcon", "apiserver=>https://$apiurl%5C"); \ <>" >> /kamailio.apiurl I believe you can use docker secrets, as described below, but I never used them so I can't help much:
https://medium.com/@basi/docker-environment-variables-expanded-from-secrets-... https://medium.com/@basi/docker-environment-variables-expanded-from-secrets-8fa70617b3bc
With kind regards,
Jurijs
On Thu, Nov 16, 2017 at 11:34 AM, Daniel Tryba <d.tryba@pocos.nl mailto:d.tryba@pocos.nl> wrote: On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
I???m working for a UK high street bank and our Kamailio implementation has been challenged because we???ve got database passwords held in clear in the configuration file.
...
My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
you can define a for a token to be used inside kamailio.cfg by using -A command line parameter. So when you start kamailio, fetch the password from your secure system by what so ever meaning, then build the database url based on it and run kamailio with:
kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
My guess is the next problem will be the password being visible to all users querying the processlist :)
Is including a file (import_file) with passwords an option? Generate the file just before startup, remove it (ofcourse in a secure way (shred the file and overwrite all freespace with a multiple patters a few dozen times (ask the auditors for the exact specifications that make them happy))) after kamailio is running.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello Daniel,
I did think of this, but yes, that’s exactly my problem. Penetration testing will highlight any and all tricks I might employ, definitely looking like we're going to need to do extend Kamailio somehow. If we can do it in a way that isn’t internally sensitive, I’ll propose we create a pull request, maybe help someone else in the future?
Cheers - Robert...
On 16 Nov 2017, at 09:34, Daniel Tryba d.tryba@pocos.nl wrote:
On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
I???m working for a UK high street bank and our Kamailio implementation has been challenged because we???ve got database passwords held in clear in the configuration file.
...
My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
you can define a for a token to be used inside kamailio.cfg by using -A command line parameter. So when you start kamailio, fetch the password from your secure system by what so ever meaning, then build the database url based on it and run kamailio with:
kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
My guess is the next problem will be the password being visible to all users querying the processlist :)
Is including a file (import_file) with passwords an option? Generate the file just before startup, remove it (ofcourse in a secure way (shred the file and overwrite all freespace with a multiple patters a few dozen times (ask the auditors for the exact specifications that make them happy))) after kamailio is running.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
isn't using a group in the db URL an option? Generate some .cnf in /etc/mysql/conf.d (or where MySQL searches its configuration in a Docker container) from the secret and use the group in your db URL in kamailio.cfg.
http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419 97212
On Thu, 2017-11-16 at 20:22 +0000, Robert wrote:
Hello Daniel,
I did think of this, but yes, that’s exactly my problem. Penetration testing will highlight any and all tricks I might employ, definitely looking like we're going to need to do extend Kamailio somehow. If we can do it in a way that isn’t internally sensitive, I’ll propose we create a pull request, maybe help someone else in the future?
Cheers - Robert...
On 16 Nov 2017, at 09:34, Daniel Tryba d.tryba@pocos.nl wrote:
On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
I???m working for a UK high street bank and our Kamailio implementation has been challenged because we???ve got database passwords held in clear in the configuration file.
...
My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
you can define a for a token to be used inside kamailio.cfg by using -A command line parameter. So when you start kamailio, fetch the password from your secure system by what so ever meaning, then build the database url based on it and run kamailio with:
kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
My guess is the next problem will be the password being visible to all users querying the processlist :)
Is including a file (import_file) with passwords an option? Generate the file just before startup, remove it (ofcourse in a secure way (shred the file and overwrite all freespace with a multiple patters a few dozen times (ask the auditors for the exact specifications that make them happy))) after kamailio is running.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
That’d presumably leave the clear text footprint I'm trying to avoid, albeit in a non-Kamailio file. I’ve made a start on an approach to read from a file, Docker secrets are basically just files, but the Docker platform handles them securely.
Thanks - Robert...
On 16 Nov 2017, at 21:46, Bastian Triller bastian.triller@gmail.com wrote:
isn't using a group in the db URL an option? Generate some .cnf in /etc/mysql/conf.d (or where MySQL searches its configuration in a Docker container) from the secret and use the group in your db URL in kamailio.cfg.
http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419 97212
Hi Robert,
I'm not security expert and I'm quite new in docker, but I think password in Docker container which will be in clear text saved somewhere should not be a problem, as far as you do not save this password to image or git and etc...
I think best way for you is to use docker secret and generate then config file for Kamailio using this docker secrets and then start Kamailio and for all of this you need to write some kind of Entrypoint script. Here is example how something similar do Homer Sipcapture, they set environment variables in docker-compose and then generate config file based on this, but you can use probably docker secrets instead of environment variables:
https://github.com/sipcapture/homer-docker/tree/master/kamailio
I found one more interesting link regarding docker secrets:
https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/
With kind regards,
Jurijs
On Thu, Nov 16, 2017 at 11:58 PM, Robert robert@vooey.co.uk wrote:
That’d presumably leave the clear text footprint I'm trying to avoid, albeit in a non-Kamailio file. I’ve made a start on an approach to read from a file, Docker secrets are basically just files, but the Docker platform handles them securely.
Thanks - Robert...
On 16 Nov 2017, at 21:46, Bastian Triller bastian.triller@gmail.com
wrote:
isn't using a group in the db URL an option? Generate some .cnf in /etc/mysql/conf.d (or where MySQL searches its configuration in a Docker container) from the secret and use the group in your db URL in kamailio.cfg.
http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419 97212
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello,
just remembered that a while ago I added support for the config file name '-' (dash/minus char) which means kamailio reads the config from standard input. This can be used to direct content of the kamailio.cfg from a safe system. For example, if one stores the config file on a web server, can do:
curl https://myserver.com/kamailio.cfg | kamailio -f -
It can be a webserver asking for password.
In the context of keeping it encrypted, there can be a tool that fetches and decrypts kamailio.cfg content and prints it to the standard output.
Using this, not even kamailio.cfg needs to be saved on the local disc.
On the other hand, as I said in a previous response, if an untrusted person gets access with root privileges, then it can attach to a running kamailio process with gdb and read from memory.
Cheers, Daniel
On 17.11.17 08:02, Jurijs Ivolga wrote:
Hi Robert,
I'm not security expert and I'm quite new in docker, but I think password in Docker container which will be in clear text saved somewhere should not be a problem, as far as you do not save this password to image or git and etc...
I think best way for you is to use docker secret and generate then config file for Kamailio using this docker secrets and then start Kamailio and for all of this you need to write some kind of Entrypoint script. Here is example how something similar do Homer Sipcapture, they set environment variables in docker-compose and then generate config file based on this, but you can use probably docker secrets instead of environment variables:
https://github.com/sipcapture/homer-docker/tree/master/kamailio
I found one more interesting link regarding docker secrets:
https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/
With kind regards,
Jurijs
On Thu, Nov 16, 2017 at 11:58 PM, Robert <robert@vooey.co.uk mailto:robert@vooey.co.uk> wrote:
That’d presumably leave the clear text footprint I'm trying to avoid, albeit in a non-Kamailio file. I’ve made a start on an approach to read from a file, Docker secrets are basically just files, but the Docker platform handles them securely. Thanks - Robert... > On 16 Nov 2017, at 21:46, Bastian Triller <bastian.triller@gmail.com <mailto:bastian.triller@gmail.com>> wrote: > > isn't using a group in the db URL an option? Generate some .cnf in > /etc/mysql/conf.d (or where MySQL searches its configuration in a > Docker container) from the secret and use the group in your db URL in > kamailio.cfg. > > http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419 <http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419> > 97212 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello Daniel,
Sincere apologies for the tardy reply! There are lots of challenges I’ll face, but fortunately I only need to secure the application, it is for others to worry about preventing platform access etc. (but on the hardened OS, I’d be amazed if gdb was available ;).
The -f - solution may be what is the best approach.
Thank you.
Robert.
On 17 Nov 2017, at 10:24, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
just remembered that a while ago I added support for the config file name '-' (dash/minus char) which means kamailio reads the config from standard input. This can be used to direct content of the kamailio.cfg from a safe system. For example, if one stores the config file on a web server, can do:
curl https://myserver.com/kamailio.cfg https://myserver.com/kamailio.cfg | kamailio -f -
It can be a webserver asking for password.
In the context of keeping it encrypted, there can be a tool that fetches and decrypts kamailio.cfg content and prints it to the standard output.
Using this, not even kamailio.cfg needs to be saved on the local disc.
On the other hand, as I said in a previous response, if an untrusted person gets access with root privileges, then it can attach to a running kamailio process with gdb and read from memory.
Cheers, Daniel
On 17.11.17 08:02, Jurijs Ivolga wrote:
Hi Robert,
I'm not security expert and I'm quite new in docker, but I think password in Docker container which will be in clear text saved somewhere should not be a problem, as far as you do not save this password to image or git and etc...
I think best way for you is to use docker secret and generate then config file for Kamailio using this docker secrets and then start Kamailio and for all of this you need to write some kind of Entrypoint script. Here is example how something similar do Homer Sipcapture, they set environment variables in docker-compose and then generate config file based on this, but you can use probably docker secrets instead of environment variables:
https://github.com/sipcapture/homer-docker/tree/master/kamailio https://github.com/sipcapture/homer-docker/tree/master/kamailio
I found one more interesting link regarding docker secrets:
https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/ https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/
With kind regards,
Jurijs
On Thu, Nov 16, 2017 at 11:58 PM, Robert <robert@vooey.co.uk mailto:robert@vooey.co.uk> wrote: That’d presumably leave the clear text footprint I'm trying to avoid, albeit in a non-Kamailio file. I’ve made a start on an approach to read from a file, Docker secrets are basically just files, but the Docker platform handles them securely.
Thanks - Robert...
On 16 Nov 2017, at 21:46, Bastian Triller <bastian.triller@gmail.com mailto:bastian.triller@gmail.com> wrote:
isn't using a group in the db URL an option? Generate some .cnf in /etc/mysql/conf.d (or where MySQL searches its configuration in a Docker container) from the secret and use the group in your db URL in kamailio.cfg.
http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419 http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419 97212
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla www.twitter.com/miconda http://www.twitter.com/miconda -- www.linkedin.com/in/miconda http://www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com http://www.asipto.com/ Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com http://www.kamailioworld.com/_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello,
On 30.11.17 21:39, Robert wrote:
Hello Daniel,
Sincere apologies for the tardy reply! There are lots of challenges I’ll face, but fortunately I only need to secure the application, it is for others to worry about preventing platform access etc. (but on the hardened OS, I’d be amazed if gdb was available ;).
kamailio is usually started as root to read protected files like kamailio.cfg as well as create control files/sockets and then switches to unprivileged user (e.g., kamailio). If one gets the root, installing gdb or other tools won't be a big deal ...
Cheers, Daniel
The -f - solution may be what is the best approach.
Thank you.
Robert.
On 17 Nov 2017, at 10:24, Daniel-Constantin Mierla <miconda@gmail.com mailto:miconda@gmail.com> wrote:
Hello,
just remembered that a while ago I added support for the config file name '-' (dash/minus char) which means kamailio reads the config from standard input. This can be used to direct content of the kamailio.cfg from a safe system. For example, if one stores the config file on a web server, can do:
curl https://myserver.com/kamailio.cfg | kamailio -f -
It can be a webserver asking for password.
In the context of keeping it encrypted, there can be a tool that fetches and decrypts kamailio.cfg content and prints it to the standard output.
Using this, not even kamailio.cfg needs to be saved on the local disc.
On the other hand, as I said in a previous response, if an untrusted person gets access with root privileges, then it can attach to a running kamailio process with gdb and read from memory.
Cheers, Daniel
On 17.11.17 08:02, Jurijs Ivolga wrote:
Hi Robert,
I'm not security expert and I'm quite new in docker, but I think password in Docker container which will be in clear text saved somewhere should not be a problem, as far as you do not save this password to image or git and etc...
I think best way for you is to use docker secret and generate then config file for Kamailio using this docker secrets and then start Kamailio and for all of this you need to write some kind of Entrypoint script. Here is example how something similar do Homer Sipcapture, they set environment variables in docker-compose and then generate config file based on this, but you can use probably docker secrets instead of environment variables:
https://github.com/sipcapture/homer-docker/tree/master/kamailio
I found one more interesting link regarding docker secrets:
https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/
With kind regards,
Jurijs
On Thu, Nov 16, 2017 at 11:58 PM, Robert <robert@vooey.co.uk mailto:robert@vooey.co.uk> wrote:
That’d presumably leave the clear text footprint I'm trying to avoid, albeit in a non-Kamailio file. I’ve made a start on an approach to read from a file, Docker secrets are basically just files, but the Docker platform handles them securely. Thanks - Robert... > On 16 Nov 2017, at 21:46, Bastian Triller <bastian.triller@gmail.com <mailto:bastian.triller@gmail.com>> wrote: > > isn't using a group in the db URL an option? Generate some .cnf in > /etc/mysql/conf.d (or where MySQL searches its configuration in a > Docker container) from the secret and use the group in your db URL in > kamailio.cfg. > > http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419 <http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419> > 97212 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On 16.11.17 10:34, Daniel Tryba wrote:
On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
I???m working for a UK high street bank and our Kamailio implementation has been challenged because we???ve got database passwords held in clear in the configuration file.
...
My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
you can define a for a token to be used inside kamailio.cfg by using -A command line parameter. So when you start kamailio, fetch the password from your secure system by what so ever meaning, then build the database url based on it and run kamailio with:
kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
My guess is the next problem will be the password being visible to all users querying the processlist :)
Indeed, this is a valid concern in this context.
Is including a file (import_file) with passwords an option? Generate the file just before startup, remove it (ofcourse in a secure way (shred the file and overwrite all freespace with a multiple patters a few dozen times (ask the auditors for the exact specifications that make them happy))) after kamailio is running.
Right, a better option with the included file that can be removed. With the default kamailio.cfg, one can generate kamailio-local.cfg in the same folder with kamailio.cfg and inside kamailio-local.cfg can have:
#!define DBURL "...."
One kamailio is started, the file can be removed.
On the other hand, if the file is accessible only by root user and nobody can see it, removing won't add much protection, maybe just for long term when server is dismissed and it's good not to have a file with such content. Because someone with root access can deploy gdb and then attach to a running kamailio processes and read values from its memory...
Cheers, Daniel
-
Bastian Triller -
Daniel Tryba -
Daniel-Constantin Mierla -
Jurijs Ivolga -
Robert