[Serusers] Avoiding storing passwords in mysql "subscriber" table in clear-text

karl ser_newbie at yahoo.com
Tue Dec 28 15:43:49 CET 2004 

Hi Antonio,

Following our previous communication re the above subject, I have recently found the time to understand and try out your interesting suggested solution as per email below.

Actually, the solution regarding "ser" worked perfectly well.

However, I am still stuck in the serweb part, in a sense that a user whose password is no longer saved in clear-texts is then unable to log into serweb.  It appears as if serweb requires use of clear-text passwords for authentication.  

I am currently using CVS Ser 99,and have noted that your reference to the last part of the config.php change the line, namely "$this->clear_text_pw=1;" instead reads $config->clear_text_pw=1;


Thank you in advanced for any further help, while wishing you and all SER users a Happy New Year.



 


-----Original Message-----
From: Antonio Rabena [mailto:antonio at lgatelecom.net]
Sent: 18 October 2004 10:12
To: karl
Subject: Re: [Serusers] Avoiding storing passwords in mysql "subscriber" table in clear-text

 

You can modify the serctl to store empty value on the  password column in mysql subscriber table.

e.g.

        QUERY="update $TABLE \
            set $HA1_COLUMN='$HA1', $HA1B_COLUMN='$HA1B', $PASSWORD_COLUMN='' \
            , $SUB_MODIFIED_COLUMN=now() \
            WHERE $SUBSCRIBER_COLUMN='$1' and $REALM_COLUMN='$SIP_DOMAIN';"
and

        QUERY="insert into $TABLE \
                ($SUBSCRIBER_COLUMN,$REALM_COLUMN,$HA1_COLUMN,\
                $HA1B_COLUMN,$PASSWORD_COLUMN,$EMAIL_COLUMN, $SUB_CREATED_COLUMN,  \
                $PHP_LIB_COLUMN ) \
                values ('$1','$SIP_DOMAIN','$HA1','$HA1B','', '$3', now(), '$HA1' );";



for the serweb..

on the last part of the config.php change the line from

        $this->clear_text_pw=1;

to 

        $this->clear_text_pw=0;



Regards,

Antonio


karl wrote:



Thanks Jan for your feedback.

 

I may confirm that serctl is generating the follow values:
i) Plain text in the "password" column.

ii) Enrcrypted text in the "ha1" column.

iii) Encrypted text in the "ha1b" column.

 

However, I refer back to my original objective, namely that while I still require users to be authenticated against user credentials (username, password, realm), on the other hand I want to avoid storing passwords in clear text in mysql "subscriber" table, when creating new user accounts using the serctl add command.

 

Thanks

 

Karl
Jan Janak <jan at iptel.org> wrote:

Make sure that you have proper values in ha1 column (generated
automatically by serctl, if not then you can use gen_ha1 utility to
generate the hashes from plaintext password) and set:

modparam("auth_db", "calculate_ha1", no)
modparam("auth_db", "password_column", ha1)

Jan.

On 12-10 00:12, karl wrote:
> Hi guys,
> 
> I would appreciate if someone may help me on the subject. While still requiring users to be authenticated against user credentials (username, password, realm), on the other hand I want to avoid storing passwords in clear text in mysql "subscriber" table. Any ideas?
> 
> Thank you in advanced.
> 
> Best regards,
> 
> Karl
> 




> ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s


		
---------------------------------
Do you Yahoo!?
 Meet the all-new My Yahoo! – Try it today! 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20041228/2a79b064/attachment.htm>

More information about the sr-users mailing list