[SR-Users] DBURL password in clear

Bastian Triller bastian.triller at gmail.com
Thu Nov 16 22:46:20 CET 2017


isn't using a group in the db URL an option? Generate some .cnf in
/etc/mysql/conf.d (or where MySQL searches its configuration in a
Docker container) from the secret and use the group in your db URL in
kamailio.cfg.

http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
97212

On Thu, 2017-11-16 at 20:22 +0000, Robert wrote:
> Hello Daniel,
> 
> I did think of this, but yes, that’s exactly my problem. Penetration
> testing will highlight any and all tricks I might employ, definitely
> looking like we're going to need to do extend Kamailio somehow. If we
> can do it in a way that isn’t internally sensitive, I’ll propose we
> create a pull request, maybe help someone else in the future?
> 
> Cheers - Robert...
> 
> > On 16 Nov 2017, at 09:34, Daniel Tryba <d.tryba at pocos.nl> wrote:
> > 
> > On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla
> > wrote:
> > > > I???m working for a UK high street bank and our Kamailio
> > > > implementation has been challenged because we???ve got database
> > > > passwords held in clear in the configuration file.
> > 
> > ...
> > > > My requirement is simple, I need to be able to supply a
> > > > password via means such as loading a variable from a run-once
> > > > script at start up, or a module. The ideal would be to be able
> > > > to read in a Docker secret :)
> > > > 
> > > 
> > > you can define a for a token to be used inside kamailio.cfg by
> > > using -A
> > > command line parameter. So when you start kamailio, fetch the
> > > password
> > > from your secure system by what so ever meaning, then build the
> > > database
> > > url based on it and run kamailio with:
> > > 
> > > kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
> > 
> > My guess is the next problem will be the password being visible to
> > all
> > users querying the processlist :)
> > 
> > Is including a file (import_file) with passwords an option?
> > Generate the
> > file just before startup, remove it (ofcourse in a secure way
> > (shred the
> > file and overwrite all freespace with a multiple patters a few
> > dozen
> > times (ask the auditors for the exact specifications that make them
> > happy))) after kamailio is running. 
> > 
> > 
> > _______________________________________________
> > Kamailio (SER) - Users Mailing List
> > sr-users at lists.kamailio.org
> > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> 
> 
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users



More information about the sr-users mailing list