Karl,
You could try using radius authentication. Just google the archives for some docs on how to use it.
Dave
________________________________
From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of karl Sent: 12 October 2004 08:13 To: serusers@lists.iptel.org Subject: [Serusers] Avoiding storing passwords in mysql "subscriber" tablein clear-text
Hi guys,
I would appreciate if someone may help me on the subject. While still requiring users to be authenticated against user credentials (username, password, realm), on the other hand I want to avoid storing passwords in clear text in mysql "subscriber" table. Any ideas?
Thank you in advanced.
Best regards,
Karl
________________________________
Do you Yahoo!? vote.yahoo.com - Register online to vote today!
I seem to remember that one of the parameters in the modparam statement for the auth module will determine if passwords are stored in clear text or encrypted. I am away from my office, and system, right now and cannot confirm this. Check the auth module documentation perhaps the answer is there.
Dave Bath wrote:
Karl,
You could try using radius authentication. Just google the archives for some docs on how to use it.
Dave
*From:* serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] *On Behalf Of *karl *Sent:* 12 October 2004 08:13 *To:* serusers@lists.iptel.org *Subject:* [Serusers] Avoiding storing passwords in mysql "subscriber" tablein clear-text
Hi guys,
I would appreciate if someone may help me on the subject. While still requiring users to be authenticated against user credentials (username, password, realm), on the other hand I want to avoid storing passwords in clear text in mysql "subscriber" table. Any ideas?
Thank you in advanced.
Best regards,
Karl
Do you Yahoo!? vote.yahoo.com http://vote.yahoo.com - Register online to vote today!
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hello Steve,
Thanks for your feedback.
Actually, as suggested by Antonio from another mail, I have already tried adding the following modparam statements in the ser.cfg file:
modparam("auth_db", "calculate_ha1", 0) modparam("auth_db", "password_column", "ha1")
.... and their effect is such that user authentication makes use of the hashed password in the "ha1" password column created during user creation using "serctl add" command.
On the other hand, what I am really after is that on user creation using serctl add command, the password column "password" is not left in plain text. Is this possible? or is it still required for SerWeb authentication?
Thanks
Karl
Steve Blair blairs@isc.upenn.edu wrote: I seem to remember that one of the parameters in the modparam statement for the auth module will determine if passwords are stored in clear text or encrypted. I am away from my office, and system, right now and cannot confirm this. Check the auth module documentation perhaps the answer is there.
Dave Bath wrote:
Karl,
You could try using radius authentication. Just google the archives for some docs on how to use it.
Dave
*From:* serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] *On Behalf Of *karl *Sent:* 12 October 2004 08:13 *To:* serusers@lists.iptel.org *Subject:* [Serusers] Avoiding storing passwords in mysql "subscriber" tablein clear-text
Hi guys,
I would appreciate if someone may help me on the subject. While still requiring users to be authenticated against user credentials (username, password, realm), on the other hand I want to avoid storing passwords in clear text in mysql "subscriber" table. Any ideas?
Thank you in advanced.
Best regards,
Karl
Do you Yahoo!? vote.yahoo.com - Register online to vote today!
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________ Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Karl:
My notes say "modparam("auth", "calculate_ha1", yes)" will allow clear text passwords in the MySQL database. I vaguely remember setting this to no during a trial. I think, if my memory serves me correctly, that the value in the password column was encrypted at that point.
I would recommend you try this for yourself and report back to the list. It has been a while since I last tried it and I am currently running with clear text passwords.
Thanks,Steve
karl wrote:
Hello Steve,
Thanks for your feedback.
Actually, as suggested by Antonio from another mail, I have already tried adding the following modparam statements in the ser.cfg file:
modparam("auth_db", "calculate_ha1", 0) modparam("auth_db", "password_column", "ha1")
.... and their effect is such that user authentication makes use of the hashed password in the "ha1" password column created during user creation using "serctl add" command.
On the other hand, what I am really after is that on user creation using serctl add command, the password column "password" is not left in plain text. Is this possible? or is it still required for SerWeb authentication?
Thanks
Karl
*/Steve Blair blairs@isc.upenn.edu/* wrote:
I seem to remember that one of the parameters in the modparam statement for the auth module will determine if passwords are stored in clear text or encrypted. I am away from my office, and system, right now and cannot confirm this. Check the auth module documentation perhaps the answer is there. Dave Bath wrote: > Karl, > > > > You could try using radius authentication. Just google the archives > for some docs on how to use it. > > > > Dave > > > > ------------------------------------------------------------------------ > > *From:* serusers-bounces@lists.iptel.org [mailto:serusers-bounces@lists.iptel.org] > *On Behalf Of *karl > *Sent:* 12 October 2004 08:13 > *To:* serusers@lists.iptel.org > *Subject:* [Serusers] Avoiding storing passwords in mysql "subscriber" > tablein clear-text > > > > Hi guys, > > > > I would appreciate if someone may help me on the subject. While still > requiring users to be authenticated against user credentials > (username, password, realm), on the other hand I want to avoid storing > passwords in clear text in mysql "subscriber" table. Any ideas? > > > > Thank you in advanced. > > > > Best regards, > > > > Karl > > ------------------------------------------------------------------------ > > Do you Yahoo!? > vote.yahoo.com - Register online to vote today! > >------------------------------------------------------------------------ > >_______________________________________________ >Serusers mailing list >serusers@lists.iptel.org >http://lists.iptel.org/mailman/listinfo/serusers > > _______________________________________________ Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Steve,
Thanks once again.
I have modified the ser.cfg file as suggested, and restarted ser, but for whatever parmater value yes/no used, I always get the following results when creating a new user account with the serctl add command: a) Clear text for password column "password". b) Encrypted text for password column "ha1". c) Encrypted text for password column "ha1b".
Regards,
Karl
Steve Blair blairs@isc.upenn.edu wrote:
Karl:
My notes say "modparam("auth", "calculate_ha1", yes)" will allow clear text passwords in the MySQL database. I vaguely remember setting this to no during a trial. I think, if my memory serves me correctly, that the value in the password column was encrypted at that point.
I would recommend you try this for yourself and report back to the list. It has been a while since I last tried it and I am currently running with clear text passwords.
Thanks,Steve
karl wrote:
Hello Steve,
Thanks for your feedback.
Actually, as suggested by Antonio from another mail, I have already tried adding the following modparam statements in the ser.cfg file:
modparam("auth_db", "calculate_ha1", 0) modparam("auth_db", "password_column", "ha1")
.... and their effect is such that user authentication makes use of the hashed password in the "ha1" password column created during user creation using "serctl add" command.
On the other hand, what I am really after is that on user creation using serctl add command, the password column "password" is not left in plain text. Is this possible? or is it still required for SerWeb authentication?
Thanks
Karl
*/Steve Blair /* wrote:
I seem to remember that one of the parameters in the modparam statement for the auth module will determine if passwords are stored in clear text or encrypted. I am away from my office, and system, right now and cannot confirm this. Check the auth module documentation perhaps the answer is there.
Dave Bath wrote:
Karl,
You could try using radius authentication. Just google the archives for some docs on how to use it.
Dave
*From:* serusers-bounces@lists.iptel.org
[mailto:serusers-bounces@lists.iptel.org]
*On Behalf Of *karl *Sent:* 12 October 2004 08:13 *To:* serusers@lists.iptel.org *Subject:* [Serusers] Avoiding storing passwords in mysql
"subscriber"
tablein clear-text
Hi guys,
I would appreciate if someone may help me on the subject. While
still
requiring users to be authenticated against user credentials (username, password, realm), on the other hand I want to avoid
storing
passwords in clear text in mysql "subscriber" table. Any ideas?
Thank you in advanced.
Best regards,
Karl
Do you Yahoo!? vote.yahoo.com - Register online to vote today!
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Hi Dave,
Thanks for your response. Does this mean that it is not possible to achieve this mysql authentication. I happen to be using mysql.
Thanks once again.
Karl
Dave Bath dave@fuuz.com wrote: v:* {behavior:url(#default#VML);}o:* {behavior:url(#default#VML);}w:* {behavior:url(#default#VML);}.shape {behavior:url(#default#VML);} Karl,
You could try using radius authentication. Just google the archives for some docs on how to use it.
Dave
---------------------------------
From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of karl Sent: 12 October 2004 08:13 To: serusers@lists.iptel.org Subject: [Serusers] Avoiding storing passwords in mysql "subscriber" tablein clear-text
Hi guys,
I would appreciate if someone may help me on the subject. While still requiring users to be authenticated against user credentials (username, password, realm), on the other hand I want to avoid storing passwords in clear text in mysql "subscriber" table. Any ideas?
Thank you in advanced.
Best regards,
Karl
---------------------------------
Do you Yahoo!? vote.yahoo.com - Register online to vote today!
_______________________________________________ Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
--------------------------------- Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish.
-
Dave Bath -
karl -
Steve Blair