You can store only the ha1 (and ha1b if you have clients using that form of auth username) in subscriber table (no plain text password in database) and set calculate_ha1 -- see also the parameters related to columns of auth_db for further adjustments.
Cheers, Daniel On 27/12/14 11:02, Olli Heiskanen wrote: > Thanks for your input, I thought about working with pv_auth_check, but > the problem is I can't decrypt the passwords from the database, they > will be either md5 hashes or some other hashes that can't be > decrypted. Also I can't access the password user is sending in order > to encrypt it, so this way of solving my problem seems to be > impossible as I suspected. > > I'll have to solve the problem some other way, but thanks very much > for your excellent response. > > Thanks > > > > 2014-12-27 8:48 GMT+02:00 Muhammad Shahzad <shaherya...@gmail.com > <mailto:shaherya...@gmail.com>>: > > I am not sure if i understand your question correctly, but if you > want to use any authentication source or encryption algorithm (for > back-end storage, e.g. for compliance with PCI DSS v2.0 and above) > other then standard db and ha1 hash then you may consider using > pv_auth_check, > > > http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.f.pv_auth_check > > just query whatever subscriber back-end you have, fetch the > password (decrypt according to your architecture requirements) and > supply it to this method through AVP. I recommend never to use > plain text passwords, even in this scenario (you should make ha1 > hash before encrypting it specific to your back-end requirements, > so that when kamailio script decrypts it at run time, it would get > ha1 hash, rather then plaintext, thus keep it somewhat safe even > against memory exploits from remote hackers). > > Regarding the digest response hash sent by client, no it is not > possible to decrypt it (at least under normal circumstance). You > may find ways to modify the response hash, but it would be most > likely pointless (since you do not know what was actually entered > by the user as password). > > Thank you. > > > > On Fri, Dec 26, 2014 at 7:33 PM, Olli Heiskanen > <ohjelmistoarkkite...@gmail.com > <mailto:ohjelmistoarkkite...@gmail.com>> wrote: > > > Hello all, > > During authentication, is there any way to affect the password > user is sending? I do suspect not as it is a clear security > matter, but won't hurt to ask. I use auth_db module with > calculate_ha1 parameter set to 1. For reasons in integrating > Kamailio into my system architecture there is a need to store > a password in some other format than for example > md5('555:domain.com:password)') while not allowing any > passwords to be stored as plaintext. > > For example: md5('555:domain.com:md5('password')') but this > would require me to hash the password before authentication, > in Kamailio script as I can't do it in the clients. > > Reason for this question is to have my users in a separate > database, and these users could have 0-n sip peers assigned to > them, and have users authenticate to my software and the sip > peers using the same password. > > cheers, > Olli > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users > mailing list > sr-users@lists.sip-router.org > <mailto:sr-users@lists.sip-router.org> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing > list > sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > > > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
