[Serusers] dbtext authentication and password encryption

Mon Mar 13 19:32:14 CET 2006

Thanks for the e-mail.

I read through all the available documentation and tried your suggestions.
Supposedly this should be enough however as I am using a different version
of SER optimized for the mipsel architecture (ie: WRT54GS router -
www.milkfish.org) I gather things are a bit different.

After editing ser.cfg and adding the lines bellow, the subscribers file
(where username, password MD5 hash, etc is stored) now contains the MD5 hash
string yet it also still contained the password as txt.

Therefore I edited dbtextctl (same as serctl but optimized for dbtext db's).
I found that a whole string composed of various parameters (username, MD5,
password, realm, etc) was being saved in the subscribers file. I identified
the parameter storing the password as txt and removed it. 

Adding a new subscriber works fine, and the password is no longer stored as
text, however, UA REGISTER's aren’t working. In my opinion this is because
the password is being sent as TXT to SER which is then comparing to the MD5
string. This test obviously fails.

Possible solutions would be:
a) have the UA itself calculate the MD5 hash string and send or
b) have SER receive the password as text then calculate MD5 hash and compare

The second option is the best; however, I have no idea how to do this, or
where to start. Any help will be much appreciated.

Thanks,
Istvan

-----Original Message-----
From: Jan Janak [mailto:jan at iptel.org] 
Sent: quinta-feira, 9 de Março de 2006 10:17
To: Istvan Hubay Cebrian
Cc: serusers at lists.iptel.org
Subject: Re: [Serusers] dbtext authentication and password encryption

YOu can store them as HA1 strings (see RFC2617 for details). Basically it is
an MD5 hash of username, realm, and password. It is still not very secure,
because if someone gets access to the string then he could authenticate
using a modified SIP user agent, but at least people won't see the passwords
by accident.

To enable this set:

modparam("auth_db", "calculate_ha1", no)
modparam("auth_db", "password_column", "ha1")

You can generate the HA1 strings using gen_ha1 tool (which is installed with
 SER).

  Jan.

Istvan Hubay Cebrian wrote:
> Hi,
> 
> I am currently deploying SER on a Linksys WRT54GS v1.1 router. I am using
> dbtext for authentication purposes. Lately I noticed that the user’s
> passwords are stored as text. My question is: if there is anyway in which
I
> could encrypt these passwords? May-be using another module? Any
information
> will be much appreciated.
> 
> Thanks
> 

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date: 07-03-2006

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.2.1/279 - Release Date: 10-03-2006