[SR-Users] Meddling with password during authentication

Daniel-Constantin Mierla miconda at gmail.com
Sat Dec 27 22:30:15 CET 2014 

You can store only the ha1 (and ha1b if you have clients using that form
of auth username) in subscriber table (no plain text password in
database) and set calculate_ha1 -- see also the parameters related to
columns of auth_db for further adjustments.

Cheers,
Daniel

On 27/12/14 11:02, Olli Heiskanen wrote:
> Thanks for your input, I thought about working with pv_auth_check, but
> the problem is I can't decrypt the passwords from the database, they
> will be either md5 hashes or some other hashes that can't be
> decrypted. Also I can't access the password user is sending in order
> to encrypt it, so this way of solving my problem seems to be
> impossible as I suspected.
>
> I'll have to solve the problem some other way, but thanks very much
> for your excellent response.
>
> Thanks
>
>
>
> 2014-12-27 8:48 GMT+02:00 Muhammad Shahzad <shaheryarkh at gmail.com
> <mailto:shaheryarkh at gmail.com>>:
>
>     I am not sure if i understand your question correctly, but if you
>     want to use any authentication source or encryption algorithm (for
>     back-end storage, e.g. for compliance with PCI DSS v2.0 and above)
>     other then standard db and ha1 hash then you may consider using
>     pv_auth_check,
>
>     http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.f.pv_auth_check
>
>     just query whatever subscriber back-end you have, fetch the
>     password (decrypt according to your architecture requirements) and
>     supply it to this method through AVP. I recommend never to use
>     plain text passwords, even in this scenario (you should make ha1
>     hash before encrypting it specific to your back-end requirements,
>     so that when kamailio script decrypts it at run time, it would get
>     ha1 hash, rather then plaintext, thus keep it somewhat safe even
>     against memory exploits from remote hackers).
>
>     Regarding the digest response hash sent by client, no it is not
>     possible to decrypt it (at least under normal circumstance). You
>     may find ways to modify the response hash, but it would be most
>     likely pointless (since you do not know what was actually entered
>     by the user as password).
>
>     Thank you.
>
>
>
>     On Fri, Dec 26, 2014 at 7:33 PM, Olli Heiskanen
>     <ohjelmistoarkkitehti at gmail.com
>     <mailto:ohjelmistoarkkitehti at gmail.com>> wrote:
>
>
>         Hello all,
>
>         During authentication, is there any way to affect the password
>         user is sending? I do suspect not as it is a clear security
>         matter, but won't hurt to ask. I use auth_db module with
>         calculate_ha1 parameter set to 1. For reasons in integrating
>         Kamailio into my system architecture there is a need to store
>         a password in some other format than for example
>         md5('555:domain.com:password)') while not allowing any
>         passwords to be stored as plaintext. 
>
>         For example: md5('555:domain.com:md5('password')') but this
>         would require me to hash the password before authentication,
>         in Kamailio script as I can't do it in the clients. 
>
>         Reason for this question is to have my users in a separate
>         database, and these users could have 0-n sip peers assigned to
>         them, and have users authenticate to my software and the sip
>         peers using the same password.
>
>         cheers,
>         Olli
>
>         _______________________________________________
>         SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>         mailing list
>         sr-users at lists.sip-router.org
>         <mailto:sr-users at lists.sip-router.org>
>         http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
>     _______________________________________________
>     SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>     list
>     sr-users at lists.sip-router.org <mailto:sr-users at lists.sip-router.org>
>     http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20141227/7bc966fd/attachment.html>

More information about the sr-users mailing list