[SR-Users] Meddling with password during authentication
Muhammad Shahzad
shaheryarkh at gmail.com
Sat Dec 27 07:48:00 CET 2014
I am not sure if i understand your question correctly, but if you want to
use any authentication source or encryption algorithm (for back-end
storage, e.g. for compliance with PCI DSS v2.0 and above) other then
standard db and ha1 hash then you may consider using pv_auth_check,
http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.f.pv_auth_check
just query whatever subscriber back-end you have, fetch the password
(decrypt according to your architecture requirements) and supply it to this
method through AVP. I recommend never to use plain text passwords, even in
this scenario (you should make ha1 hash before encrypting it specific to
your back-end requirements, so that when kamailio script decrypts it at run
time, it would get ha1 hash, rather then plaintext, thus keep it somewhat
safe even against memory exploits from remote hackers).
Regarding the digest response hash sent by client, no it is not possible to
decrypt it (at least under normal circumstance). You may find ways to
modify the response hash, but it would be most likely pointless (since you
do not know what was actually entered by the user as password).
Thank you.
On Fri, Dec 26, 2014 at 7:33 PM, Olli Heiskanen <
ohjelmistoarkkitehti at gmail.com> wrote:
>
> Hello all,
>
> During authentication, is there any way to affect the password user is
> sending? I do suspect not as it is a clear security matter, but won't hurt
> to ask. I use auth_db module with calculate_ha1 parameter set to 1. For
> reasons in integrating Kamailio into my system architecture there is a need
> to store a password in some other format than for example
> md5('555:domain.com:password)') while not allowing any passwords to be
> stored as plaintext.
>
> For example: md5('555:domain.com:md5('password')') but this would require
> me to hash the password before authentication, in Kamailio script as I
> can't do it in the clients.
>
> Reason for this question is to have my users in a separate database, and
> these users could have 0-n sip peers assigned to them, and have users
> authenticate to my software and the sip peers using the same password.
>
> cheers,
> Olli
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20141227/2a93447a/attachment.html>
More information about the sr-users
mailing list