12 Oct
2004
12 Oct
'04
6:05 a.m.
Karl,
You could try using radius authentication. Just google the archives for
some docs on how to use it.
Dave
________________________________
From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@lists.iptel.org] On
Behalf Of karl
Sent: 12 October 2004 08:13
To: serusers(a)lists.iptel.org
Subject: [Serusers] Avoiding storing passwords in mysql "subscriber"
tablein clear-text
Hi guys,
I would appreciate if someone may help me on the subject. While still
requiring users to be authenticated against user credentials (username,
password, realm), on the other hand I want to avoid storing passwords in
clear text in mysql "subscriber" table. Any ideas?
Thank you in advanced.
Best regards,
Karl
________________________________
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
12 Oct
12 Oct
1:48 p.m.
New subject: [Serusers] Avoiding storing passwords in mysql "subscriber" tablein clear-text
I seem to remember that one of the parameters in the modparam
statement for the
auth module will determine if passwords are stored in clear text or
encrypted. I am
away from my office, and system, right now and cannot confirm this.
Check the auth
module documentation perhaps the answer is there.
Dave Bath wrote:
Karl,
You could try using radius authentication. Just google the archives
for some docs on how to use it.
Dave
------------------------------------------------------------------------
*From:* serusers-bounces(a)iptel.org [mailto:serusers-bounces@lists.iptel.org]
*On Behalf Of *karl
*Sent:* 12 October 2004 08:13
*To:* serusers(a)lists.iptel.org
*Subject:* [Serusers] Avoiding storing passwords in mysql "subscriber"
tablein clear-text
Hi guys,
I would appreciate if someone may help me on the subject. While still
requiring users to be authenticated against user credentials
(username, password, realm), on the other hand I want to avoid storing
passwords in clear text in mysql "subscriber" table. Any ideas?
Thank you in advanced.
Best regards,
Karl
------------------------------------------------------------------------
Do you Yahoo!?
vote.yahoo.com <http://vote.yahoo.com> - Register online to vote today!
------------------------------------------------------------------------
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
15 Oct
15 Oct
8:18 a.m.
New subject: [Serusers] Avoiding storing passwords in mysql "subscriber" tablein clear-text
Hello Steve,
Thanks for your feedback.
Actually, as suggested by Antonio from another mail, I have already tried adding the
following modparam statements in the ser.cfg file:
modparam("auth_db", "calculate_ha1", 0)
modparam("auth_db", "password_column", "ha1")
.... and their effect is such that user authentication makes use of the hashed password in
the "ha1" password column created during user creation using "serctl
add" command.
On the other hand, what I am really after is that on user creation using serctl add
command, the password column "password" is not left in plain text. Is this
possible? or is it still required for SerWeb authentication?
Thanks
Karl
Steve Blair <blairs(a)isc.upenn.edu> wrote:
I seem to remember that one of the parameters in the modparam
statement for the
auth module will determine if passwords are stored in clear text or
encrypted. I am
away from my office, and system, right now and cannot confirm this.
Check the auth
module documentation perhaps the answer is there.
Dave Bath wrote:
Karl,
You could try using radius authentication. Just google the archives
for some docs on how to use it.
Dave
------------------------------------------------------------------------
*From:* serusers-bounces(a)iptel.org [mailto:serusers-bounces@lists.iptel.org]
*On Behalf Of *karl
*Sent:* 12 October 2004 08:13
*To:* serusers(a)lists.iptel.org
*Subject:* [Serusers] Avoiding storing passwords in mysql "subscriber"
tablein clear-text
Hi guys,
I would appreciate if someone may help me on the subject. While still
requiring users to be authenticated against user credentials
(username, password, realm), on the other hand I want to avoid storing
passwords in clear text in mysql "subscriber" table. Any ideas?
Thank you in advanced.
Best regards,
Karl
------------------------------------------------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
------------------------------------------------------------------------
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
8:36 a.m.
New subject: [Serusers] Avoiding storing passwords in mysql "subscriber" tablein clear-text
Karl:
My notes say "modparam("auth", "calculate_ha1", yes)"
will allow
clear text
passwords in the MySQL database. I vaguely remember setting this to
no during a trial. I think, if my memory serves me correctly, that the value
in the password column was encrypted at that point.
I would recommend you try this for yourself and report back to the
list. It
has been a while since I last tried it and I am currently running with
clear
text passwords.
Thanks,Steve
karl wrote:
Hello Steve,
Thanks for your feedback.
Actually, as suggested by Antonio from another mail, I have already
tried adding the following modparam statements in the ser.cfg file:
modparam("auth_db", "calculate_ha1", 0)
modparam("auth_db", "password_column", "ha1")
.... and their effect is such that user authentication makes use of
the hashed password in the "ha1" password column created during user
creation using "serctl add" command.
On the other hand, what I am really after is that on user creation
using serctl add command, the password column "password" is not left
in plain text. Is this possible? or is it still required for SerWeb
authentication?
Thanks
Karl
*/Steve Blair <blairs(a)isc.upenn.edu>/* wrote:
I seem to remember that one of the parameters in the modparam
statement for the
auth module will determine if passwords are stored in clear text or
encrypted. I am
away from my office, and system, right now and cannot confirm this.
Check the auth
module documentation perhaps the answer is there.
Dave Bath wrote:
--
ISC Network Engineering
The University of Pennsylvania
3401 Walnut Street, Suite 221A
Philadelphia, PA 19104
voice: 215-573-8396
215-746-7903
fax: 215-898-9348
sip:blairs@upenn.edu
Karl,
You could try using radius authentication. Just google the archives
for some docs on how to use it.
Dave
------------------------------------------------------------------------
*From:* serusers-bounces(a)lists.iptel.org
[mailto:serusers-bounces@lists.iptel.org]
*On Behalf Of *karl
*Sent:* 12 October 2004 08:13
*To:* serusers(a)lists.iptel.org
*Subject:* [Serusers] Avoiding storing passwords in mysql
"subscriber"
tablein clear-text
Hi guys,
I would appreciate if someone may help me on the subject. While
still
requiring users to be authenticated against user
credentials
(username, password, realm), on the other hand I want to avoid
storing
passwords in clear text in mysql
"subscriber" table. Any ideas?
Thank you in advanced.
Best regards,
Karl
------------------------------------------------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
------------------------------------------------------------------------
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
9:15 a.m.
New subject: [Serusers] Avoiding storing passwords in mysql "subscriber" tablein clear-text
Steve,
Thanks once again.
I have modified the ser.cfg file as suggested, and restarted ser, but for whatever
parmater value yes/no used, I always get the following results when creating a new user
account with the serctl add command:
a) Clear text for password column "password".
b) Encrypted text for password column "ha1".
c) Encrypted text for password column "ha1b".
Regards,
Karl
Steve Blair <blairs(a)isc.upenn.edu> wrote:
Karl:
My notes say "modparam("auth", "calculate_ha1", yes)" will
allow
clear text
passwords in the MySQL database. I vaguely remember setting this to
no during a trial. I think, if my memory serves me correctly, that the value
in the password column was encrypted at that point.
I would recommend you try this for yourself and report back to the
list. It
has been a while since I last tried it and I am currently running with
clear
text passwords.
Thanks,Steve
karl wrote:
Hello Steve,
Thanks for your feedback.
Actually, as suggested by Antonio from another mail, I have already
tried adding the following modparam statements in the ser.cfg file:
modparam("auth_db", "calculate_ha1", 0)
modparam("auth_db", "password_column", "ha1")
.... and their effect is such that user authentication makes use of
the hashed password in the "ha1" password column created during user
creation using "serctl add" command.
On the other hand, what I am really after is that on user creation
using serctl add command, the password column "password" is not left
in plain text. Is this possible? or is it still required for SerWeb
authentication?
Thanks
Karl
*/Steve Blair /* wrote:
I seem to remember that one of the parameters in the modparam
statement for the
auth module will determine if passwords are stored in clear text or
encrypted. I am
away from my office, and system, right now and cannot confirm this.
Check the auth
module documentation perhaps the answer is there.
Dave Bath wrote:
--
ISC Network Engineering
The University of Pennsylvania
3401 Walnut Street, Suite 221A
Philadelphia, PA 19104
voice: 215-573-8396
215-746-7903
fax: 215-898-9348
sip:blairs@upenn.edu
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
Karl,
You could try using radius authentication. Just google the archives
for some docs on how to use it.
Dave
------------------------------------------------------------------------
*From:* serusers-bounces(a)lists.iptel.org
[mailto:serusers-bounces@lists.iptel.org]
*On Behalf Of *karl
*Sent:* 12 October 2004 08:13
*To:* serusers(a)lists.iptel.org
*Subject:* [Serusers] Avoiding storing passwords in mysql
"subscriber"
tablein clear-text
Hi guys,
I would appreciate if someone may help me on the subject. While
still
requiring users to be authenticated against user
credentials
(username, password, realm), on the other hand I want to avoid
storing
passwords in clear text in mysql
"subscriber" table. Any ideas?
Thank you in advanced.
Best regards,
Karl
------------------------------------------------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
------------------------------------------------------------------------
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
13 Oct
13 Oct
11:27 a.m.
New subject: [Serusers] Avoiding storing passwords in mysql "subscriber" tablein clear-text
Hi Dave,
Thanks for your response. Does this mean that it is not possible to achieve this mysql
authentication. I happen to be using mysql.
Thanks once again.
Karl
Dave Bath <dave(a)fuuz.com> wrote:
v\:* {behavior:url(#default#VML);}o\:* {behavior:url(#default#VML);}w\:*
{behavior:url(#default#VML);}.shape {behavior:url(#default#VML);}
Karl,
You could try using radius authentication. Just google the archives for some docs on how
to use it.
Dave
---------------------------------
From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of
karl
Sent: 12 October 2004 08:13
To: serusers(a)lists.iptel.org
Subject: [Serusers] Avoiding storing passwords in mysql "subscriber" tablein
clear-text
Hi guys,
I would appreciate if someone may help me on the subject. While still requiring users to
be authenticated against user credentials (username, password, realm), on the other hand I
want to avoid storing passwords in clear text in mysql "subscriber" table. Any
ideas?
Thank you in advanced.
Best regards,
Karl
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
---------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
7430
days inactive
7433
days old
5 comments
3 participants
participants (3)
-
Dave Bath -
karl -
Steve Blair