[SR-Users] Kamailio/Asterisk combination + hashed passwords?
Daniel Pocock
daniel at pocock.com.au
Tue Jun 11 10:12:46 CEST 2013
On 10/06/13 13:05, Klaus Darilion wrote:
>
>
> On 06.06.2013 16:35, Daniel-Constantin Mierla wrote:
>> Hello,
>>
>> On 6/6/13 11:05 AM, Daniel Pocock wrote:
>>> I was just looking over:
>>>
>>> http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
>>>
>>>
>>>
>>> A couple of things I noticed:
>>>
>>> - Kamailio is using a column sippasswd which is not hashed. Asterisk
>>> doesn't use that column at all. Is there any reason this can't be done
>>> with the H(A1) and H(A1b) columns? The INSERT example shows a
>>> non-encrypted password.
>>
>> you can store hashed value there. In Kamailio is just a matter of config
>> parameter/function parameter to say the loaded value is either plain
>> text or ha1.
>
> Just a comment: it does not give you any additional security to store
> the passwords in hashed form - as also the hashed password can be used
> to calculate a proper authentication response.
>
> The only benefit to use the hashed form is if the same password is
> used in other systems too - then leaking the subscriber table does not
> compromise the other systems (for approximately 4 hours with todays
> MD5 hacking performance), but only the SIP system.
>
Agreed - that is one reason why I encourage use of TLS client certs:
http://www.resiprocate.org/ReproMutualTLSAuthenticationJitsi
I've had that working with both Jitsi and Polycom devices (they have
built-in certs) - it would be interesting to see a sample config and the
same howto for Kamailio, from what I can tell the TLS module does
support the same functionality.
One day I'll get around to adding client cert support into Lumicall
More information about the sr-users
mailing list