[SR-Users] Kamailio/Asterisk combination + hashed passwords?
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Jun 10 13:05:35 CEST 2013
On 06.06.2013 16:35, Daniel-Constantin Mierla wrote:
> Hello,
>
> On 6/6/13 11:05 AM, Daniel Pocock wrote:
>> I was just looking over:
>>
>> http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
>>
>>
>> A couple of things I noticed:
>>
>> - Kamailio is using a column sippasswd which is not hashed. Asterisk
>> doesn't use that column at all. Is there any reason this can't be done
>> with the H(A1) and H(A1b) columns? The INSERT example shows a
>> non-encrypted password.
>
> you can store hashed value there. In Kamailio is just a matter of config
> parameter/function parameter to say the loaded value is either plain
> text or ha1.
Just a comment: it does not give you any additional security to store
the passwords in hashed form - as also the hashed password can be used
to calculate a proper authentication response.
The only benefit to use the hashed form is if the same password is used
in other systems too - then leaking the subscriber table does not
compromise the other systems (for approximately 4 hours with todays MD5
hacking performance), but only the SIP system.
regards
Klaus
More information about the sr-users
mailing list