我正在运行星号树莓派 3;因此,我想保护密码。有人可以移除 SD 卡,密码将以纯文本形式显示!我知道我可以加密整个操作系统,但如果我可以避免这样做就好了,因为我只需要保护一个文件。
有3我想保护的密钥/密码类型。到目前为止,我已经成功保护了树中的 2 个密码。
无论如何,这是我以前sip.conf
未受保护的:
[general]
keepalive=30
bindport=5060
... etc
; Allow tls !
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/keys/asterisk.pem ; <---- 1st key unprotected
tlscafile=/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
; Peers info ---------------------------------------------
[user1]
secret=somePassword ; < -------- 2nd key unprotected
type=peer
... etc
[user2]
... etc.. ; more unprotected keys
; ----------------------------------------------------------
; elastic sip trunks used to make outbound calls -----------
[Trunk-Provider-1] ;
type=peer
host=someProvider.com
secret=plainTextPassword ; <------------ 3rd password unprotected
username=foo
; ---------------------------------------------------------
这是我的新sip.conf
“保护”:
[general]
keepalive=30
bindport=5060
... etc
; Allow tls !
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/dev/shm/keys/asterisk.pem ; <---- 1st key located on memory (/dev/shm/)
tlscafile=/dev/shm/keys/ca.crt ; same thing. File is on memory and NOT on disk.
tlscipher=ALL
tlsclientmethod=tlsv1
; Peers info ---------------------------------------------
[user1]
md5secret=4a8e71480c5b1ef0a5d502a8eb98576 ; < -------- 2nd key hashed (protected)
type=peer
... etc
[user2]
... etc.. ; more hashed keys
; ----------------------------------------------------------
; elastic sip trunks used to make outbound calls -----------
[Trunk-Provider-1] ;
type=peer
host=omeProvider.com
secret=password-Of-Provider ; <------------ 3rd password I do not know how to protect this :/ ?
username=foo
; ---------------------------------------------------------
所以我必须保护 3 种类型的密钥/密码。
证书密钥 用于加密通话的证书。我通过在计算机启动时下载并将其放在内存中来保护它(
/dev/shm/
)。如果计算机关闭,文件将丢失。IP 电话密码(对等) 这是手机(对等端)使用的密码。为了保护它们,我对它们进行了哈希处理。本文解释了如何做到这一点:https://www.voip-info.org/wiki/view/Asterisk+sip+md5secret
提供商密码(用于拨打外拨电话) 我不知道如何保护这些密码。我考虑过将 sip.conf 文件的位置移到内存中,但这并不容易。我相信这需要移动所有配置文件。
答案1
回答我自己的问题:
我通过创建符号链接移动了文件 /etc/asterisk/sip.conf。 https://stackoverflow.com/a/1951752/637142
# 1. Delete /etc/asterisk/sip.conf we do not want that file on disk. It contains passwords!
rm /etc/asterisk/sip.conf
# 2. create sip.conf on memory (/dev/shm/sip.conf)
touch /dev/shm/sip.conf
... add configuration and passwords... to that file
# 3. Trick asterisk by placing a symbolic link.
# Point file /etc/asterisk/sip.conf ---> /dev/shm/sip.conf
ln -s /dev/shm/sip.conf /etc/asterisk/sip.conf
不,当我访问 /etc/asterisk/sip.conf 时,实际上我正在访问 /dev/shm/sip.conf!