[Serusers] Avoiding storing passwords in mysql "subscriber" tablein clear-text
Steve Blair
blairs at isc.upenn.edu
Fri Oct 15 14:36:26 CEST 2004
Karl:
My notes say "modparam("auth", "calculate_ha1", yes)" will allow
clear text
passwords in the MySQL database. I vaguely remember setting this to
no during a trial. I think, if my memory serves me correctly, that the value
in the password column was encrypted at that point.
I would recommend you try this for yourself and report back to the
list. It
has been a while since I last tried it and I am currently running with
clear
text passwords.
Thanks,Steve
karl wrote:
> Hello Steve,
>
> Thanks for your feedback.
>
> Actually, as suggested by Antonio from another mail, I have already
> tried adding the following modparam statements in the ser.cfg file:
>
> modparam("auth_db", "calculate_ha1", 0)
> modparam("auth_db", "password_column", "ha1")
>
> .... and their effect is such that user authentication makes use of
> the hashed password in the "ha1" password column created during user
> creation using "serctl add" command.
>
> On the other hand, what I am really after is that on user creation
> using serctl add command, the password column "password" is not left
> in plain text. Is this possible? or is it still required for SerWeb
> authentication?
>
>
> Thanks
>
> Karl
>
>
> */Steve Blair <blairs at isc.upenn.edu>/* wrote:
>
>
> I seem to remember that one of the parameters in the modparam
> statement for the
> auth module will determine if passwords are stored in clear text or
> encrypted. I am
> away from my office, and system, right now and cannot confirm this.
> Check the auth
> module documentation perhaps the answer is there.
>
> Dave Bath wrote:
>
> > Karl,
> >
> >
> >
> > You could try using radius authentication. Just google the archives
> > for some docs on how to use it.
> >
> >
> >
> > Dave
> >
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > *From:* serusers-bounces at lists.iptel.org
> [mailto:serusers-bounces at lists.iptel.org]
> > *On Behalf Of *karl
> > *Sent:* 12 October 2004 08:13
> > *To:* serusers at lists.iptel.org
> > *Subject:* [Serusers] Avoiding storing passwords in mysql
> "subscriber"
> > tablein clear-text
> >
> >
> >
> > Hi guys,
> >
> >
> >
> > I would appreciate if someone may help me on the subject. While
> still
> > requiring users to be authenticated against user credentials
> > (username, password, realm), on the other hand I want to avoid
> storing
> > passwords in clear text in mysql "subscriber" table. Any ideas?
> >
> >
> >
> > Thank you in advanced.
> >
> >
> >
> > Best regards,
> >
> >
> >
> > Karl
> >
> >
> ------------------------------------------------------------------------
> >
> > Do you Yahoo!?
> > vote.yahoo.com - Register online to vote today!
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Serusers mailing list
> >serusers at lists.iptel.org
> >http://lists.iptel.org/mailman/listinfo/serusers
> >
> >
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
--
ISC Network Engineering
The University of Pennsylvania
3401 Walnut Street, Suite 221A
Philadelphia, PA 19104
voice: 215-573-8396
215-746-7903
fax: 215-898-9348
sip:blairs at upenn.edu
More information about the sr-users
mailing list