[Serusers] Avoiding storing passwords in mysql "subscriber" table in clear-text - sr-users

28 Dec 2004


      Hi Antonio,
Following our previous communication re the above subject, I have recently found the time to understand and try out your interesting suggested solution as per email below.
Actually, the solution regarding "ser" worked perfectly well.
However, I am still stuck in the serweb part, in a sense that a user whose password is no longer saved in clear-texts is then unable to log into serweb.  It appears as if serweb requires use of clear-text passwords for authentication.
I am currently using CVS Ser 99,and have noted that your reference to the last part of the config.php change the line, namely "$this->clear_text_pw=1;" instead reads $config->clear_text_pw=1;
Thank you in advanced for any further help, while wishing you and all SER users a Happy New Year.
-----Original Message-----
From: Antonio Rabena [mailto:antonio@lgatelecom.net]
Sent: 18 October 2004 10:12
To: karl
Subject: Re: [Serusers] Avoiding storing passwords in mysql "subscriber" table in clear-text
You can modify the serctl to store empty value on the  password column in mysql subscriber table.
e.g.
QUERY="update $TABLE \
            set $HA1_COLUMN='$HA1', $HA1B_COLUMN='$HA1B', $PASSWORD_COLUMN='' \
            , $SUB_MODIFIED_COLUMN=now() \
            WHERE $SUBSCRIBER_COLUMN='$1' and $REALM_COLUMN='$SIP_DOMAIN';"
and
QUERY="insert into $TABLE \
                ($SUBSCRIBER_COLUMN,$REALM_COLUMN,$HA1_COLUMN,\
                $HA1B_COLUMN,$PASSWORD_COLUMN,$EMAIL_COLUMN, $SUB_CREATED_COLUMN,  \
                $PHP_LIB_COLUMN ) \
                values ('$1','$SIP_DOMAIN','$HA1','$HA1B','', '$3', now(), '$HA1' );";
for the serweb..
on the last part of the config.php change the line from
$this->clear_text_pw=1;
to
$this->clear_text_pw=0;
Regards,
Antonio
karl wrote:
Thanks Jan for your feedback.
I may confirm that serctl is generating the follow values:
i) Plain text in the "password" column.
ii) Enrcrypted text in the "ha1" column.
iii) Encrypted text in the "ha1b" column.
However, I refer back to my original objective, namely that while I still require users to be authenticated against user credentials (username, password, realm), on the other hand I want to avoid storing passwords in clear text in mysql "subscriber" table, when creating new user accounts using the serctl add command.
Thanks
Karl
Jan Janak jan@iptel.org wrote:
Make sure that you have proper values in ha1 column (generated
automatically by serctl, if not then you can use gen_ha1 utility to
generate the hashes from plaintext password) and set:
modparam("auth_db", "calculate_ha1", no)
modparam("auth_db", "password_column", ha1)
Jan.
On 12-10 00:12, karl wrote:
...
Hi guys,
I would appreciate if someone may help me on the subject. While still requiring users to be authenticated against user credentials (username, password, realm), on the other hand I want to avoid storing passwords in clear text in mysql "subscriber" table. Any ideas?
Thank you in advanced.
Best regards,
Karl
...
ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s
---------------------------------
Do you Yahoo!?
 Meet the all-new My Yahoo! � Try it today!