Brief background to what I am trying to achieve … I will have a PABX facing public internet, and remote handsets which I really want to be zero touch in regards to configuration (ie. onsite technician only has to unbox). The problem is using the traditional TFTP approach could allow someone malicious to spoof a MAC, and request a config file, thus getting server registration details and could begin placing unauthorised calls. FYI - I’ll be using Polycom handsets.
I read an article over at voip-info using Apache mod rewrite and a PHP script to generate a config file, served to the phone over HTTP (with the phone getting the HTTP URL from an FTP server, handed to the phone via DHCP) —> http://www.voip-info.org/wiki/view/Database+driven+Polycom+provisioning+with+Asterisk+RealTime
(I’m not interested in using Asterisk Real Time, I don’t know much about this, and fear it will just add unnecessary complexity).
The way I see this means that there will be no static config files, sitting on a server with all the details anyone would need. My question is thus; does FreePBX store extension password details in the local MySQL database? So far, browsing it, I can’t find these details … Otherwise, I could make a DB on a “provisioning server” that pulls only the required information, if passwords are stored elsewhere in a format that’s useable.
Alternatively, if anyone has setup a secure way of serving config files out over public internets I would love to know about it 
Thanks in advance!