You can store only the ha1 (and ha1b if you have clients using that form of auth username) in subscriber table (no plain text password in database) and set calculate_ha1 -- see also the parameters related to columns of auth_db for further adjustments.

Cheers,
Daniel

On 27/12/14 11:02, Olli Heiskanen wrote:
Thanks for your input, I thought about working with pv_auth_check, but the problem is I can't decrypt the passwords from the database, they will be either md5 hashes or some other hashes that can't be decrypted. Also I can't access the password user is sending in order to encrypt it, so this way of solving my problem seems to be impossible as I suspected.

I'll have to solve the problem some other way, but thanks very much for your excellent response.

Thanks



2014-12-27 8:48 GMT+02:00 Muhammad Shahzad <shaheryarkh@gmail.com>:
I am not sure if i understand your question correctly, but if you want to use any authentication source or encryption algorithm (for back-end storage, e.g. for compliance with PCI DSS v2.0 and above) other then standard db and ha1 hash then you may consider using pv_auth_check,

http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.f.pv_auth_check

just query whatever subscriber back-end you have, fetch the password (decrypt according to your architecture requirements) and supply it to this method through AVP. I recommend never to use plain text passwords, even in this scenario (you should make ha1 hash before encrypting it specific to your back-end requirements, so that when kamailio script decrypts it at run time, it would get ha1 hash, rather then plaintext, thus keep it somewhat safe even against memory exploits from remote hackers).

Regarding the digest response hash sent by client, no it is not possible to decrypt it (at least under normal circumstance). You may find ways to modify the response hash, but it would be most likely pointless (since you do not know what was actually entered by the user as password).

Thank you.



On Fri, Dec 26, 2014 at 7:33 PM, Olli Heiskanen <ohjelmistoarkkitehti@gmail.com> wrote:

Hello all,

During authentication, is there any way to affect the password user is sending? I do suspect not as it is a clear security matter, but won't hurt to ask. I use auth_db module with calculate_ha1 parameter set to 1. For reasons in integrating Kamailio into my system architecture there is a need to store a password in some other format than for example md5('555:domain.com:password)') while not allowing any passwords to be stored as plaintext. 

For example: md5('555:domain.com:md5('password')') but this would require me to hash the password before authentication, in Kamailio script as I can't do it in the clients. 

Reason for this question is to have my users in a separate database, and these users could have 0-n sip peers assigned to them, and have users authenticate to my software and the sip peers using the same password.

cheers,
Olli

_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users



_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users




_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda