Hello everyone, and thanks very much for your feedback. Some responses and further questions below.
Daniel> Latest kamailio versions support also SHA256 algorithm
Martín> SHA256 is also a bad choice for storing passwords. See details here: https://crackstation.net/hashing-security.htm
Daniel> However, the main blocker in suing a different hashing algorithm are the sip client devices (mainly hardphones), which implement only MD5. If you implement your own client app, then you can extend kamailio to support whatever hashing you do in the client. Then, of course you can use client side tls certificates for authentication, which should be better than any hashing algorithm.
Martín> I do implement my own client app, even though I use a third party SIP stack, which currently doesn't support any other auth methods besides basic and MD5 (standard ones). I am planning to send username and passwd as custom SIP headers in the REGISTER message, probably encrypted, and this will travel on top of TLS. Then Kamailio can extract these custom headers and call a custom python script to decrypt the values and do the authentication (bcrypt password and compare with the one in database). Client certificates are good but only in certain situations (e.g. not if you want a zero footprint client such as a web-based client), and in most cases a pain to manage when your user base grows.
Alex> Do you know of any mainstream SIP UACs which support anything other than standard MD5 digest auth?
Martín> I don't, but haven't really worked much at all with 3rd party SIP clients. I doubt there's any support for newer passwd hashing schemes, unfortunately.
----------
Now the details....
I'm looking at sipcomm.cfg and see it calls www_authenticate (defined in modules/auth_db/authorize.c). I believe I would need to create a similar function, e.g. bcrypt_authenticate, and call this instead, with the username and passwd values I get in my custom headers (as explained above). The routine would decrypt the values, look up the user in the database, bcrypt the passwd extracted from the custom header, and compare with the one in the database. Doesn't sound too hard, but I do have some concerns related to other functions that www_authenticate may be doing, that I would also need to do in my bcrypt_authenticate function in order to keep Kamailio functioning properly.
For example, www_authenticate could be changing some values in the database and/or other temporary storage. I took a quick look at the implementation and tried to follow the calls inside it. I see calls to mark_authorized_cred, check_auth_hr (or auth_check_hdr_md5), and generate_avps, and that some of these functions are indeed changing some values here and there. So, before spending more time looking into these details, I wanted to see if any of you have any suggestions about how to handle this situation, i.e. maybe all I need to do in bcrypt_authenticate is to check the credentials and then set one flag in the database for the user that was just authenticated?
Does the explanation above make sense to you? Please let me know any suggestions or further guidance you may have.
Thanks a lot, Martín.
On Mon, Nov 13, 2017 at 3:00 AM, sr-users-request@lists.kamailio.org wrote:
Send sr-users mailing list submissions to sr-users@lists.kamailio.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users or, via email, send a message with subject or body 'help' to sr-users-request@lists.kamailio.org
You can reach the person managing the list at sr-users-owner@lists.kamailio.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of sr-users digest..."
Today's Topics:
- Branch 5.1 created (Daniel-Constantin Mierla)
- Development open in master branch (to be v5.2.x) (Daniel-Constantin Mierla)
- Re: using bcrypt passwd hashing (Daniel-Constantin Mierla)
- Re: t_set_fr behaviour (Daniel-Constantin Mierla)
- Re: t_set_fr behaviour (Daniel-Constantin Mierla)
- Re: AVPOPS: is_avp_set/avp_check "name" parameter as variable. (Daniel-Constantin Mierla)
- Re: strange --dialog in delete state is too old-- log line managing dialog hashes (Daniel-Constantin Mierla)
- Re: 183 acc records even if early_media equals to 0 (Marco Capetta)
- Re: Kamailio issue (Daniel-Constantin Mierla)
- Re: using bcrypt passwd hashing (Yuriy Gorlichenko)
Message: 1 Date: Sun, 12 Nov 2017 14:42:35 +0100 From: Daniel-Constantin Mierla miconda@gmail.com To: "Kamailio (SER) - Devel Mailing List" sr-dev@lists.kamailio.org, "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org
Subject: [SR-Users] Branch 5.1 created Message-ID: dca81faa-dec2-4e12-704f-b382d23493d7@gmail.com Content-Type: text/plain; charset=utf-8
Hello,
the GIT branch 5.1 has just been created, it will host the release series 5.1.x. To get this branch from GIT, you can use:
git clone https://github.com/kamailio/kamailio.git kamailio cd kamailio git checkout -b 5.1 origin/5.1
Hopefully in two-three weeks time frame the full release of 5.1.0 will be out.
From now on, any corresponding fix has to be pushed first to master
branch and then cherry-picked to branch 5.1. No new features can get in branch 5.1. Enhancements to documentation or helping tools, as well as kemi exports are still allowed. If you are not sure about doing or not a backport, ask on sr-dev mailing list.
Cheers, Daniel
-- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - www.kamailioworld.com
Message: 2 Date: Sun, 12 Nov 2017 14:50:45 +0100 From: Daniel-Constantin Mierla miconda@gmail.com To: "Kamailio (SER) - Devel Mailing List" sr-dev@lists.kamailio.org, "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org
Subject: [SR-Users] Development open in master branch (to be v5.2.x) Message-ID: 07baf03f-0d1b-30f6-45d2-cacfc3dfec99@gmail.com Content-Type: text/plain; charset=utf-8
Hello,
git branch 5.1 was just created (to host the release series v5.1.x), therefore new features can now be pushed again in master branch. They will be part of the next future release, likely to be numbered 5.2.x.
Any fixes that affect existing code in branches 5.1 or older version have to be backported - push first to master and then cherry pick -- see the contributing guidelines at:
https://www.kamailio.org/wiki/devel/git-commit-guidelines# backporting_commits
Many thanks to all contributors so far! Testing of branch 5.1 and giving feedback for it is very appreciated!
Cheers, Daniel
-- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - www.kamailioworld.com
Message: 3 Date: Mon, 13 Nov 2017 09:22:17 +0100 From: Daniel-Constantin Mierla miconda@gmail.com To: "Kamailio (SER) - Users Mailing List" sr-users@lists.kamailio.org, Yuriy Gorlichenko < ovoshlook@gmail.com> Subject: Re: [SR-Users] using bcrypt passwd hashing Message-ID: c7bb57e5-16dd-f5c2-f4ac-e3060f3b45bb@gmail.com Content-Type: text/plain; charset="utf-8"
On 12.11.17 10:33, Yuriy Gorlichenko wrote:
You can realize any of auth methods by yourself and include it via config file/kemi on lua/by adding module
forexample I added SSO auth without any troubles instead of basid MD5 for some projects.
Out of curiosity, what do you refer by SSO?
Cheers, Daniel
2017-11-11 18:49 GMT+03:00 Alex Balashov <abalashov@evaristesys.com mailto:abalashov@evaristesys.com>:
Do you know of any mainstream SIP UACs which support anything other than standard MD5 digest auth? On November 10, 2017 7:11:26 PM EST, "Walter Martín Villalba" <wvillalba@gmail.com <mailto:wvillalba@gmail.com>> wrote: >Hello, > >I did some searches online and talked to some colleagues and itseems
>Kamailio only supports the traditional HTTP digest authentication, >which >uses MD5. I would like to know if any of you has been successful in >using >bcrypt/scrypt/pbkdf2 passwd hashing, instead of MD5, which has been >deemed >as obsolete and insecure a long time ago. Perhaps you've writtenyour
>own >auth module, or just modified the config script to call some other >credential checking routine using a custom python/perl script (I'm >thinking >of doing the latter, of nothing better is available). > >If any of you have done something like this, using bcrypt or any other >current and secure hashing algorithm, I would appreciate some guidance. > If >you haven't, aren't you concerned about storing MD5 password hashes in >your >database? > >Note: if I can't find a good answer using this list, I will try the >developer's list next. > >Thanks in advance, > >Martín. -- Alex -- Sent via mobile, please forgive typos and brevity. _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - www.asipto.com Kamailio World Conference - www.kamailioworld.com