Hi,
I am currently deploying SER on a Linksys WRT54GS v1.1 router. I am using dbtext for authentication purposes. Lately I noticed that the user’s passwords are stored as text. My question is: if there is anyway in which I could encrypt these passwords? May-be using another module? Any information will be much appreciated.
Thanks
YOu can store them as HA1 strings (see RFC2617 for details). Basically it is an MD5 hash of username, realm, and password. It is still not very secure, because if someone gets access to the string then he could authenticate using a modified SIP user agent, but at least people won't see the passwords by accident.
To enable this set:
modparam("auth_db", "calculate_ha1", no) modparam("auth_db", "password_column", "ha1")
You can generate the HA1 strings using gen_ha1 tool (which is installed with SER).
Jan.
Istvan Hubay Cebrian wrote:
Hi,
I am currently deploying SER on a Linksys WRT54GS v1.1 router. I am using dbtext for authentication purposes. Lately I noticed that the user’s passwords are stored as text. My question is: if there is anyway in which I could encrypt these passwords? May-be using another module? Any information will be much appreciated.
Thanks
Thanks for the e-mail.
I read through all the available documentation and tried your suggestions. Supposedly this should be enough however as I am using a different version of SER optimized for the mipsel architecture (ie: WRT54GS router - www.milkfish.org) I gather things are a bit different.
After editing ser.cfg and adding the lines bellow, the subscribers file (where username, password MD5 hash, etc is stored) now contains the MD5 hash string yet it also still contained the password as txt.
Therefore I edited dbtextctl (same as serctl but optimized for dbtext db's). I found that a whole string composed of various parameters (username, MD5, password, realm, etc) was being saved in the subscribers file. I identified the parameter storing the password as txt and removed it.
Adding a new subscriber works fine, and the password is no longer stored as text, however, UA REGISTER's arent working. In my opinion this is because the password is being sent as TXT to SER which is then comparing to the MD5 string. This test obviously fails.
Possible solutions would be: a) have the UA itself calculate the MD5 hash string and send or b) have SER receive the password as text then calculate MD5 hash and compare
The second option is the best; however, I have no idea how to do this, or where to start. Any help will be much appreciated.
Thanks, Istvan
-----Original Message----- From: Jan Janak [mailto:jan@iptel.org] Sent: quinta-feira, 9 de Março de 2006 10:17 To: Istvan Hubay Cebrian Cc: serusers@lists.iptel.org Subject: Re: [Serusers] dbtext authentication and password encryption
YOu can store them as HA1 strings (see RFC2617 for details). Basically it is an MD5 hash of username, realm, and password. It is still not very secure, because if someone gets access to the string then he could authenticate using a modified SIP user agent, but at least people won't see the passwords by accident.
To enable this set:
modparam("auth_db", "calculate_ha1", no) modparam("auth_db", "password_column", "ha1")
You can generate the HA1 strings using gen_ha1 tool (which is installed with SER).
Jan.
Istvan Hubay Cebrian wrote:
Hi,
I am currently deploying SER on a Linksys WRT54GS v1.1 router. I am using dbtext for authentication purposes. Lately I noticed that the users passwords are stored as text. My question is: if there is anyway in which
I
could encrypt these passwords? May-be using another module? Any
information
will be much appreciated.
Thanks
-
Istvan Hubay Cebrian -
Jan Janak