Hello, I'm trying to make Kamailio to SIP register on a remote server. However storing plaintext password looks very unsecure. Is there a possibility to store password for uac module using ha1 hash instead of the plaintext password? I see there's a row for it in the database, but in the source code it's not used and it seems i can't neither use it in db neither set up in-memory as avp. Maybe there's a workaround to directly access the in-memory uac registration htable?
________________________________ Regards, Alexandru Covalschi VoIP Engineer and System Administrator tel: +37367367850
Can I fire REGISTER's w/o authentication but then process 401/407 in a failure route and somehow tell UAC module which ha1 to use? Keeping all the timers functionality and uac_reg_lookup feature? Or at least if I process 401/407 in a failure_route and manually create the Auth header, will UAC module still be able to keep track of the registrations? Anyway, an in-memory registration table is preferred as I'm using an API which will push all trunks inside Kamailio... Using a database is the worst scenario in my case. ________________________________ Regards, Alexandru Covalschi VoIP Engineer and System Administrator tel: +37367367850
28 авг. 2019 г., в 16:15, Alexandru Covalschi 568691@gmail.com написал(а):
Hello, I'm trying to make Kamailio to SIP register on a remote server. However storing plaintext password looks very unsecure. Is there a possibility to store password for uac module using ha1 hash instead of the plaintext password? I see there's a row for it in the database, but in the source code it's not used and it seems i can't neither use it in db neither set up in-memory as avp. Maybe there's a workaround to directly access the in-memory uac registration htable?
Regards, Alexandru Covalschi VoIP Engineer and System Administrator tel: +37367367850
Hello Alexandru,
you are right, right now the ha1 value in the database is not used from the uac registration functionality. This could be added similar to the functionality in auth_db, I think. If you need some pointers for an extension of the code, let us know on sr-dev list.
I don't think it will work correctly if you just use the uac registration functionality and then interact with a failure_route on the auth error.
About your security concerns, you are right that of course plain text passwords are not good. The MD5 hash that is used in the ha1 will not provide much protection as of today, as you probably know as well.
Cheers,
Henning
Am 28.08.19 um 16:54 schrieb Alexandru Covalschi: Can I fire REGISTER's w/o authentication but then process 401/407 in a failure route and somehow tell UAC module which ha1 to use? Keeping all the timers functionality and uac_reg_lookup feature? Or at least if I process 401/407 in a failure_route and manually create the Auth header, will UAC module still be able to keep track of the registrations? Anyway, an in-memory registration table is preferred as I'm using an API which will push all trunks inside Kamailio... Using a database is the worst scenario in my case. ________________________________ Regards, Alexandru Covalschi VoIP Engineer and System Administrator tel: +37367367850
28 авг. 2019 г., в 16:15, Alexandru Covalschi <568691@gmail.commailto:568691@gmail.com> написал(а):
Hello, I'm trying to make Kamailio to SIP register on a remote server. However storing plaintext password looks very unsecure. Is there a possibility to store password for uac module using ha1 hash instead of the plaintext password? I see there's a row for it in the database, but in the source code it's not used and it seems i can't neither use it in db neither set up in-memory as avp. Maybe there's a workaround to directly access the in-memory uac registration htable?
________________________________ Regards, Alexandru Covalschi VoIP Engineer and System Administrator tel: +37367367850
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Henning Westerholt - https://skalatan.de/blog/ Kamailio services - https://skalatan.de/services
On 28.08.19 16:54, Alexandru Covalschi wrote:
Can I fire REGISTER's w/o authentication but then process 401/407 in a failure route and somehow tell UAC module which ha1 to use? Keeping all the timers functionality and uac_reg_lookup feature? Or at least if I process 401/407 in a failure_route and manually create the Auth header, will UAC module still be able to keep track of the registrations?
The failure_route is not executed for local generated requests, only for requests received and then forwarded by kamailio.
You can try to play with event_route[tm:local-request] -- if there is an Authorization header, remove it and add another one that you build yourself with the ha1 value, using eventually some embedded scripting such as Lua or Python. In uac_reg table set some dummy value for the plain text password.
But could get complex -- like I said in the previous email, I find it better to extend the module.
Cheers, Daniel
Anyway, an in-memory registration table is preferred as I'm using an API which will push all trunks inside Kamailio... Using a database is the worst scenario in my case. ________________________________ Regards, Alexandru Covalschi VoIP Engineer and System Administrator tel: +37367367850
28 авг. 2019 г., в 16:15, Alexandru Covalschi <568691@gmail.com mailto:568691@gmail.com> написал(а):
Hello, I'm trying to make Kamailio to SIP register on a remote server. However storing plaintext password looks very unsecure. Is there a possibility to store password for uac module using ha1 hash instead of the plaintext password? I see there's a row for it in the database, but in the source code it's not used and it seems i can't neither use it in db neither set up in-memory as avp. Maybe there's a workaround to directly access the in-memory uac registration htable?
Regards, Alexandru Covalschi VoIP Engineer and System Administrator tel: +37367367850
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello,
indeed, it seems to be no support to use the ha1 form of password for uac module remote registrations. Probably it was is some plans at some point because the column is there, but it was not implemented so far -- or it was just a cloning of columns from subscriber table.
Not sure about the coding effort, but I think the right solution would be to extend the module.
Cheers, Daniel
On 28.08.19 16:15, Alexandru Covalschi wrote:
Hello, I'm trying to make Kamailio to SIP register on a remote server. However storing plaintext password looks very unsecure. Is there a possibility to store password for uac module using ha1 hash instead of the plaintext password? I see there's a row for it in the database, but in the source code it's not used and it seems i can't neither use it in db neither set up in-memory as avp. Maybe there's a workaround to directly access the in-memory uac registration htable?
Regards, Alexandru Covalschi VoIP Engineer and System Administrator tel: +37367367850
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Thank you for your feedback, I will first try playing with event route, i'm in KEMI anyway, however I also think extending the module is a go-for.
________________________________ Regards, Alexandru Covalschi VoIP Engineer and System Administrator tel: +37367367850
28 авг. 2019 г., в 20:56, Daniel-Constantin Mierla miconda@gmail.com написал(а):
Hello,
indeed, it seems to be no support to use the ha1 form of password for uac module remote registrations. Probably it was is some plans at some point because the column is there, but it was not implemented so far -- or it was just a cloning of columns from subscriber table.
Not sure about the coding effort, but I think the right solution would be to extend the module.
Cheers, Daniel
On 28.08.19 16:15, Alexandru Covalschi wrote:
Hello, I'm trying to make Kamailio to SIP register on a remote server. However storing plaintext password looks very unsecure. Is there a possibility to store password for uac module using ha1 hash instead of the plaintext password? I see there's a row for it in the database, but in the source code it's not used and it seems i can't neither use it in db neither set up in-memory as avp. Maybe there's a workaround to directly access the in-memory uac registration htable?
Regards, Alexandru Covalschi VoIP Engineer and System Administrator tel: +37367367850
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla -- www.asipto.com http://www.asipto.com/ www.twitter.com/miconda http://www.twitter.com/miconda -- www.linkedin.com/in/miconda http://www.linkedin.com/in/miconda
-
Alexandru Covalschi -
Daniel-Constantin Mierla -
Henning Westerholt