On 06.06.2013 16:35, Daniel-Constantin Mierla wrote:
Hello,
On 6/6/13 11:05 AM, Daniel Pocock wrote:
I was just looking over:
http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
A couple of things I noticed:
- Kamailio is using a column sippasswd which is not hashed. Asterisk
doesn't use that column at all. Is there any reason this can't be done with the H(A1) and H(A1b) columns? The INSERT example shows a non-encrypted password.
you can store hashed value there. In Kamailio is just a matter of config parameter/function parameter to say the loaded value is either plain text or ha1.
Just a comment: it does not give you any additional security to store the passwords in hashed form - as also the hashed password can be used to calculate a proper authentication response.
The only benefit to use the hashed form is if the same password is used in other systems too - then leaking the subscriber table does not compromise the other systems (for approximately 4 hours with todays MD5 hacking performance), but only the SIP system.
regards Klaus