Thanks for your input, I thought about working with pv_auth_check, but the
problem is I can't decrypt the passwords from the database, they will be
either md5 hashes or some other hashes that can't be decrypted. Also I
can't access the password user is sending in order to encrypt it, so this
way of solving my problem seems to be impossible as I suspected.
I'll have to solve the problem some other way, but thanks very much for
your excellent response.
Thanks
2014-12-27 8:48 GMT+02:00 Muhammad Shahzad <shaheryarkh(a)gmail.com>om>:
I am not sure if i understand your question correctly,
but if you want to
use any authentication source or encryption algorithm (for back-end
storage, e.g. for compliance with PCI DSS v2.0 and above) other then
standard db and ha1 hash then you may consider using pv_auth_check,
http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.f.pv_auth_che…
just query whatever subscriber back-end you have, fetch the password
(decrypt according to your architecture requirements) and supply it to this
method through AVP. I recommend never to use plain text passwords, even in
this scenario (you should make ha1 hash before encrypting it specific to
your back-end requirements, so that when kamailio script decrypts it at run
time, it would get ha1 hash, rather then plaintext, thus keep it somewhat
safe even against memory exploits from remote hackers).
Regarding the digest response hash sent by client, no it is not possible
to decrypt it (at least under normal circumstance). You may find ways to
modify the response hash, but it would be most likely pointless (since you
do not know what was actually entered by the user as password).
Thank you.
On Fri, Dec 26, 2014 at 7:33 PM, Olli Heiskanen <
ohjelmistoarkkitehti(a)gmail.com> wrote:
Hello all,
During authentication, is there any way to affect the password user is
sending? I do suspect not as it is a clear security matter, but won't hurt
to ask. I use auth_db module with calculate_ha1 parameter set to 1. For
reasons in integrating Kamailio into my system architecture there is a need
to store a password in some other format than for example
md5('555:domain.com:password)') while not allowing any passwords to be
stored as plaintext.
For example: md5('555:domain.com:md5('password')') but this would
require me to hash the password before authentication, in Kamailio script
as I can't do it in the clients.
Reason for this question is to have my users in a separate database, and
these users could have 0-n sip peers assigned to them, and have users
authenticate to my software and the sip peers using the same password.
cheers,
Olli
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users