[SR-Users] DBURL password in clear

[Robert]

Hello Daniel,

I did think of this, but yes, that’s exactly my problem. Penetration testing will highlight any and all tricks I might employ, definitely looking like we're going to need to do extend Kamailio somehow. If we can do it in a way that isn’t internally sensitive, I’ll propose we create a pull request, maybe help someone else in the future?

Cheers - Robert...

> On 16 Nov 2017, at 09:34, Daniel Tryba <d.tryba at pocos.nl> wrote:
> 
> On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
>>> I???m working for a UK high street bank and our Kamailio implementation has been challenged because we???ve got database passwords held in clear in the configuration file.
> ...
>>> My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
>>> 
>> you can define a for a token to be used inside kamailio.cfg by using -A
>> command line parameter. So when you start kamailio, fetch the password
>> from your secure system by what so ever meaning, then build the database
>> url based on it and run kamailio with:
>> 
>> kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
> 
> My guess is the next problem will be the password being visible to all
> users querying the processlist :)
> 
> Is including a file (import_file) with passwords an option? Generate the
> file just before startup, remove it (ofcourse in a secure way (shred the
> file and overwrite all freespace with a multiple patters a few dozen
> times (ask the auditors for the exact specifications that make them
> happy))) after kamailio is running. 
> 
> 
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users