[Serusers] Avoiding storing passwords in mysql "subscriber" tablein clear-text

karl ser_newbie at yahoo.com
Fri Oct 15 15:15:50 CEST 2004 

Steve,
 
Thanks once again.  
 
I have modified the ser.cfg file as suggested, and restarted ser, but for whatever parmater value yes/no used, I always get the following results when creating a new user account with the serctl add command:
a) Clear text for password column "password".
b) Encrypted text for password column "ha1".
c) Encrypted text for password column "ha1b".  

Regards,
 
Karl

Steve Blair <blairs at isc.upenn.edu> wrote:

Karl:

My notes say "modparam("auth", "calculate_ha1", yes)" will allow 
clear text
passwords in the MySQL database. I vaguely remember setting this to
no during a trial. I think, if my memory serves me correctly, that the value
in the password column was encrypted at that point.

I would recommend you try this for yourself and report back to the 
list. It
has been a while since I last tried it and I am currently running with 
clear
text passwords.

Thanks,Steve

karl wrote:

> Hello Steve,
> 
> Thanks for your feedback.
> 
> Actually, as suggested by Antonio from another mail, I have already 
> tried adding the following modparam statements in the ser.cfg file:
> 
> modparam("auth_db", "calculate_ha1", 0)
> modparam("auth_db", "password_column", "ha1")
> 
> .... and their effect is such that user authentication makes use of 
> the hashed password in the "ha1" password column created during user 
> creation using "serctl add" command.
>
> On the other hand, what I am really after is that on user creation 
> using serctl add command, the password column "password" is not left 
> in plain text. Is this possible? or is it still required for SerWeb 
> authentication?
> 
> 
> Thanks
> 
> Karl
>
>
> */Steve Blair /* wrote:
>
>
> I seem to remember that one of the parameters in the modparam
> statement for the
> auth module will determine if passwords are stored in clear text or
> encrypted. I am
> away from my office, and system, right now and cannot confirm this.
> Check the auth
> module documentation perhaps the answer is there.
>
> Dave Bath wrote:
>
> > Karl,
> >
> >
> >
> > You could try using radius authentication. Just google the archives
> > for some docs on how to use it.
> >
> >
> >
> > Dave
> >
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > *From:* serusers-bounces at lists.iptel.org
> [mailto:serusers-bounces at lists.iptel.org]
> > *On Behalf Of *karl
> > *Sent:* 12 October 2004 08:13
> > *To:* serusers at lists.iptel.org
> > *Subject:* [Serusers] Avoiding storing passwords in mysql
> "subscriber"
> > tablein clear-text
> >
> >
> >
> > Hi guys,
> >
> >
> >
> > I would appreciate if someone may help me on the subject. While
> still
> > requiring users to be authenticated against user credentials
> > (username, password, realm), on the other hand I want to avoid
> storing
> > passwords in clear text in mysql "subscriber" table. Any ideas?
> >
> >
> >
> > Thank you in advanced.
> >
> >
> >
> > Best regards,
> >
> >
> >
> > Karl
> >
> >
> ------------------------------------------------------------------------
> >
> > Do you Yahoo!?
> > vote.yahoo.com - Register online to vote today!
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Serusers mailing list
> >serusers at lists.iptel.org
> >http://lists.iptel.org/mailman/listinfo/serusers
> >
> >
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>

-- 

ISC Network Engineering
The University of Pennsylvania
3401 Walnut Street, Suite 221A
Philadelphia, PA 19104 


voice: 215-573-8396 

215-746-7903

fax: 215-898-9348 

sip:blairs at upenn.edu


		
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20041015/8ab495db/attachment.htm>

More information about the sr-users mailing list