[SR-Users] DBURL password in clear

Robert robert at vooey.co.uk
Wed Nov 15 18:27:42 CET 2017 

Thank you Daniel. This provides me with some capability, but I can’t seem to consume the result in the configuration, I just get lots of errors. The issue seems to be that the value of the define, passed via -A doesn’t seem to be processed in anyway.

I’ve had a quick look in the cfg.lex and cfg.y files, but that’s the first time delving into Flex etc. so I’m not sure I’m following it correctly.

I’ve tried every combination of encapsulation of the parameters in single and double quotes I can think of i.e. -A DBURL=“…”, -A “DBURL=…”, all with the same result.

I also tried #!subst "/DB_URL/DBURL/g” but that doesn’t seem to expand out the DBURL define.

In short, I’m stumped… Any further thoughts would be truly appreciated. I’ve put a few error details in the mail below. I’m feeling that I may need to resort to changing the behaviour of the subst directive to meet my needs (more likely, add substvar, substfromfile or some such).

Any further thoughts would be truly welcome, otherwise I think I’m going to have to dig out my dusty K&R book and roll my sleeves up… Sincere thanks in advance for any ideas.

Cheers - Robert...

-------------------------------------------------------------------------------------------------------------------------

In the configuration file, I have failures for example on:

modparam("htable", "db_url", DBURL)

when launched with the -A results in:

0(7) DEBUG: <core> [core/cfg.lex:1838]: pp_define_get(): ### returning define ID [DBURL] value [oracle://username:password@/DB <oracle://username:password@/DB>]
0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: syntax error
0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: Invalid arguments
0(7) CRITICAL: <core> [core/cfg.y:3434]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: 
ERROR: bad config file (3 errors)

I’ve tried with #!subst but it seems that pre-processor directive doesn’t expand out defines, so:

#!subst "/DB_URL/DBURL/g”
modparam("htable", "db_url", DB_URL)

just results in:

0(7) INFO: <core> [core/ppcfg.c:82]: pp_subst_add(): ### added subst expression: /DB_URL/DBURL/g
0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
0(7) DEBUG: <core> [core/re.c:436]: subst_run(): running. r=1
0(7) DEBUG: <core> [core/re.c:504]: subst_str(): no match
0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: syntax error
0(7) CRITICAL: <core> [core/cfg.y:3431]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 30-35: Invalid arguments
0(7) CRITICAL: <core> [core/cfg.y:3434]: yyerror_at(): parse error in config file /usr/local/etc/kamailio/kamailio.cfg, line 97, column 36: 
ERROR: bad config file (3 errors)



> On 15 Nov 2017, at 07:46, Daniel-Constantin Mierla <miconda at gmail.com> wrote:
> 
> Hello,
> 
> 
> On 14.11.17 14:25, Robert wrote:
>> Hello,
>> 
>> I’m working for a UK high street bank and our Kamailio implementation has been challenged because we’ve got database passwords held in clear in the configuration file.
>> 
>> I am unable to find any examples of where this has been worked around, there doesn’t seem to be any module or configuration means of supplying a variable in the modparam() entry that is expanded a startup. The security tutorials only seem to relate to the SIP level of security, not Kamailio as a platform.
>> 
>> My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
>> 
>> I am by no means a Kamailio expert, so apologies in advance if this is a mindblowingly basic thing to achieve, but I do feel I’ve exhausted the Kamailio documentation, wiki etc. and all the goodness Google usually has to offer and drawn a blank.
>> 
>> Sincere thanks in advance for any assistance.
>> 
>> 
> you can define a for a token to be used inside kamailio.cfg by using -A
> command line parameter. So when you start kamailio, fetch the password
> from your secure system by what so ever meaning, then build the database
> url based on it and run kamailio with:
> 
> kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio <mysql://user:passwd@dbhost/kamailio>' ...
> 
> You may need to enclose in double quotes inside the single quotes, I am
> not sure at this moment, but sometime she shell 'eats' a pair of quotes,
> so just try with it if first fails ...
> 
> Cheers,
> Daniel
> 
> -- 
> Daniel-Constantin Mierla
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - www.asipto.com <http://www.asipto.com/>
> Kamailio World Conference - www.kamailioworld.com <http://www.kamailioworld.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171115/d82b5eca/attachment.html>

More information about the sr-users mailing list