Thanks for your input, I thought about working with pv_auth_check, but the problem is I can't decrypt the passwords from the database, they will be either md5 hashes or some other hashes that can't be decrypted. Also I can't access the password user is sending in order to encrypt it, so this way of solving my problem seems to be impossible as I suspected.
I'll have to solve the problem some other way, but thanks very much for your excellent response. Thanks 2014-12-27 8:48 GMT+02:00 Muhammad Shahzad <shaherya...@gmail.com>: > I am not sure if i understand your question correctly, but if you want to > use any authentication source or encryption algorithm (for back-end > storage, e.g. for compliance with PCI DSS v2.0 and above) other then > standard db and ha1 hash then you may consider using pv_auth_check, > > > http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.f.pv_auth_check > > just query whatever subscriber back-end you have, fetch the password > (decrypt according to your architecture requirements) and supply it to this > method through AVP. I recommend never to use plain text passwords, even in > this scenario (you should make ha1 hash before encrypting it specific to > your back-end requirements, so that when kamailio script decrypts it at run > time, it would get ha1 hash, rather then plaintext, thus keep it somewhat > safe even against memory exploits from remote hackers). > > Regarding the digest response hash sent by client, no it is not possible > to decrypt it (at least under normal circumstance). You may find ways to > modify the response hash, but it would be most likely pointless (since you > do not know what was actually entered by the user as password). > > Thank you. > > > > On Fri, Dec 26, 2014 at 7:33 PM, Olli Heiskanen < > ohjelmistoarkkite...@gmail.com> wrote: > >> >> Hello all, >> >> During authentication, is there any way to affect the password user is >> sending? I do suspect not as it is a clear security matter, but won't hurt >> to ask. I use auth_db module with calculate_ha1 parameter set to 1. For >> reasons in integrating Kamailio into my system architecture there is a need >> to store a password in some other format than for example >> md5('555:domain.com:password)') while not allowing any passwords to be >> stored as plaintext. >> >> For example: md5('555:domain.com:md5('password')') but this would >> require me to hash the password before authentication, in Kamailio script >> as I can't do it in the clients. >> >> Reason for this question is to have my users in a separate database, and >> these users could have 0-n sip peers assigned to them, and have users >> authenticate to my software and the sip peers using the same password. >> >> cheers, >> Olli >> >> _______________________________________________ >> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list >> sr-users@lists.sip-router.org >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >> >> > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > >
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
