Location of Keys in asterisk package

Maurice Massar massar at unix-ag.uni-kl.de
Wed Feb 17 22:52:17 UTC 2010


hi,

On Wed, Feb 17, 2010 at 09:48:57AM +0200, Tzafrir Cohen wrote:
> On Wed, Feb 17, 2010 at 03:02:53AM +0100, Maurice Massar wrote:
> > asterisk (1:1.4.10~dfsg-1) unstable; urgency=low
> >   * Add ast_key_dir patch to move keys from /var/lib/asterisk/keys to
> >     /usr/share/asterisk/keys where they should be.
> >  -- Mark Purcell <msp at debian.org>  Thu, 09 Aug 2007 22:47:00 +0100
> > 
> > Why should the keys be in /usr/share/asterisk/keys?
> > If I want to configure an RSA authenticated IAX-Trunk between
> > two asterisk hosts, I need to generate keys on both and have
> > asterisk read them. That is configuration in my book. 
> 
> Somewhere in the middle between "configuration" and "data". There's no
> clear distinction between the two.

as with the public keys distributed via the package ok. But for the keys
I need to generated myself or pubkeys I receive, they do not belong in
/usr ...

hm, a quite similar problem is solved by the ca-certs* packages by
putting keys in /usr/share/... and having in /etc/ssl/certs/ symlinks to
package provided certs, or direct files for local stuff...

> For starters, the 'keys' directory is placed by upstream under the
> astdatadir, which in Debian defaults to /usr/share/asterisk . Thus if
> there's no good technical reason, it should remain there.

Where am I [as admin] supposed to place the public an private key files
for an RSA authenticated IAX connection? As the private key is generally
host specific, the FHS explicitly states that it does not belong to /usr:
"Any information that is host-specific [...] is stored elsewhere."

Maybe that issue should be forwarded upstream, but I posted here,
because I only looked at the package in debian stable and unstable and
I'm not following what has/is happening at asterisks upstream wrt. this.
(my current crusade is to get DHCPv6 actually working and deployed at
this site here, I just got sidetracked while doing the long overdue
etch->lenny update on the asterisk box here)

> For the record, the issue applies to the Squeeze package as well.
> However, in the version included in Squeeze you can set 'astkeysdir'
> explicitly. The keys will reside in a subdirectory called 'keys' of it.

ah, thanks.

> > As a workaround I grepped the sources and found setting astdatadir
> > changes the keydir too... but adding it to asterisk.conf had no effect
> > since the section got renamed to [directories] instead of '[global]'.
> 
> Wasn't this included in the latest stable update?

ah, but seem to got missed .. at least, looking at all asterisk-config
.debs on a nearby debian mirror:

ftp:/tmp/XXX# head -1 */etc/asterisk/asterisk.conf
==> asterisk-config_1.2.13~dfsg-2_all.deb/etc/asterisk/asterisk.conf <==
[global]

==> asterisk-config_1.2.13~dfsg-2etch4_all.deb/etc/asterisk/asterisk.conf <==
[global]

==> asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb/etc/asterisk/asterisk.conf <==
[global]

==> asterisk-config_1.6.2.0-1_all.deb/etc/asterisk/asterisk.conf <==
[directories](!) ; remove the (!) to enable this

==> asterisk-config_1.6.2.2-1_all.deb/etc/asterisk/asterisk.conf <==
[directories](!) ; remove the (!) to enable this

(the first 3 files have the same content, as have the last 2)

cu
Maurice



More information about the Pkg-voip-maintainers mailing list