8 May
2015
8 May
'15
9:08 a.m.
Hello,
On 07/05/15 09:49, Mathys Frédéric wrote:
Hello Daniel,
Thank you for your answer, this is exactly what I need. Modification
of the auth module seems to be a better solution, but this lead to
some questions for me…
- Could you explain a little bit how the auth module is
working? Which files do I have to modify to change the hash method?
It is hard to remember by heart or explain here -- but in short, what I
would do is to identify where the MD5 hashing is done and from there try
to add an alternative for shaX.
- If I used another auth_* module to get
username / password,
the modification in the auth module is enough for the
www_authentication? In other words, the authentication is always done
in this module? Even If I use auth_radius or auth_diameter or a
self-made auth_* module?
Some of those modules might be touched as well, given, for example, that
auth_db can already retrieve the hashed value from the database. IIRC,
radius auhentication sends all the attributes for authentication to
radius and radius server does all the computation for check.
As a first step, I would focus on auth module for pv_auth_check() which
takes the password or the hashed value as parameter.
Cheers,
Daniel
*From:*sr-users [mailto:sr-users-bounces@lists.sip-router.org] *On
Behalf Of *Daniel-Constantin Mierla
*Sent:* Wednesday 6 May 2015 16:44
*To:* Kamailio (SER) - Users Mailing List
*Subject:* Re: [SR-Users] Kamailio authentication method
Hello,
to understand properly, do you need to have:
HA1=SHA(username:realm:password)
HA2=SHA(method:digestURI)
response=SHA(HA1:nonce:HA2)
Perhaps it can be done with config file scripting, if you are familiar
with transformations and header manipulation. But I think it will be
simpler to extend auth module to support different hashing algorithm.
The code for computing shaX is already in kamailio (used for shaX
transformations), so the change in auth should be about advertising
and detecting when the new algorithm has to be used.
Cheers,
Daniel
On 06/05/15 16:28, Mathys Frédéric wrote:
Hello,
In my scenario with a Kamailio server, I have a VOIP client
connecting to the server which, for some reasons, cannot calculate
MD5 hashes but only SHA. In this situation, would it be possible
to change the authentication algorithm by either modifying
Kamailio scripts or writing an external module to do that?
As far as I know, the authentication response is calculated as
follow (standard HTTP Digest authentication) :
HA1=MD5(username:realm:password)
HA2=MD5(method:digestURI)
response=MD5(HA1:nonce:HA2)
For that, I have to save ha1 and ha1b values in the DB with the
SHA function directly (with a trigger for example), and then
change the authentication method too.
What is the best solution to do that? Does a module already exists?
Thank you!
Frederic Mathys
System Integration & Validation
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda <http://twitter.com/#%21/miconda> -
http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com