5 Dec
2017
5 Dec
'17
9:49 p.m.
Hello everyone, and thanks very much for your feedback. Some responses and
further questions below.
Daniel> Latest kamailio versions support also SHA256 algorithm
Martín> SHA256 is also a bad choice for storing passwords. See details here:
https://crackstation.net/hashing-security.htm
Daniel> However, the main blocker in suing a different hashing algorithm
are the sip client devices (mainly hardphones), which implement only MD5.
If you implement your own client app, then you can extend kamailio to
support whatever hashing you do in the client. Then, of course you can use
client side tls certificates for authentication, which should be better
than any hashing algorithm.
Martín> I do implement my own client app, even though I use a third party
SIP stack, which currently doesn't support any other auth methods besides
basic and MD5 (standard ones). I am planning to send username and passwd as
custom SIP headers in the REGISTER message, probably encrypted, and this
will travel on top of TLS. Then Kamailio can extract these custom headers
and call a custom python script to decrypt the values and do the
authentication (bcrypt password and compare with the one in database).
Client certificates are good but only in certain situations (e.g. not if
you want a zero footprint client such as a web-based client), and in most
cases a pain to manage when your user base grows.
Alex> Do you know of any mainstream SIP UACs which support anything other
than standard MD5 digest auth?
Martín> I don't, but haven't really worked much at all with 3rd party SIP
clients. I doubt there's any support for newer passwd hashing schemes,
unfortunately.
----------
Now the details....
I'm looking at sipcomm.cfg and see it calls www_authenticate (defined in
modules/auth_db/authorize.c). I believe I would need to create a similar
function, e.g. bcrypt_authenticate, and call this instead, with the
username and passwd values I get in my custom headers (as explained above).
The routine would decrypt the values, look up the user in the database,
bcrypt the passwd extracted from the custom header, and compare with the
one in the database. Doesn't sound too hard, but I do have some concerns
related to other functions that www_authenticate may be doing, that I would
also need to do in my bcrypt_authenticate function in order to keep
Kamailio functioning properly.
For example, www_authenticate could be changing some values in the database
and/or other temporary storage. I took a quick look at the implementation
and tried to follow the calls inside it. I see calls to
mark_authorized_cred, check_auth_hr (or auth_check_hdr_md5), and
generate_avps, and that some of these functions are indeed changing some
values here and there. So, before spending more time looking into these
details, I wanted to see if any of you have any suggestions about how to
handle this situation, i.e. maybe all I need to do in bcrypt_authenticate
is to check the credentials and then set one flag in the database for the
user that was just authenticated?
Does the explanation above make sense to you? Please let me know any
suggestions or further guidance you may have.
Thanks a lot,
Martín.
On Mon, Nov 13, 2017 at 3:00 AM, <sr-users-request(a)lists.kamailio.org>
wrote:
Send sr-users mailing list submissions to
sr-users(a)lists.kamailio.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
or, via email, send a message with subject or body 'help' to
sr-users-request(a)lists.kamailio.org
You can reach the person managing the list at
sr-users-owner(a)lists.kamailio.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of sr-users digest..."
Today's Topics:
1. Branch 5.1 created (Daniel-Constantin Mierla)
2. Development open in master branch (to be v5.2.x)
(Daniel-Constantin Mierla)
3. Re: using bcrypt passwd hashing (Daniel-Constantin Mierla)
4. Re: t_set_fr behaviour (Daniel-Constantin Mierla)
5. Re: t_set_fr behaviour (Daniel-Constantin Mierla)
6. Re: AVPOPS: is_avp_set/avp_check "name" parameter as
variable. (Daniel-Constantin Mierla)
7. Re: strange --dialog in delete state is too old-- log line
managing dialog hashes (Daniel-Constantin Mierla)
8. Re: 183 acc records even if early_media equals to 0
(Marco Capetta)
9. Re: Kamailio issue (Daniel-Constantin Mierla)
10. Re: using bcrypt passwd hashing (Yuriy Gorlichenko)
----------------------------------------------------------------------
Message: 1
Date: Sun, 12 Nov 2017 14:42:35 +0100
From: Daniel-Constantin Mierla <miconda(a)gmail.com>
To: "Kamailio (SER) - Devel Mailing List" <sr-dev(a)lists.kamailio.org>rg>,
"Kamailio (SER) - Users Mailing List" <sr-users(a)lists.kamailio.org
Subject: [SR-Users] Branch 5.1 created
Message-ID: <dca81faa-dec2-4e12-704f-b382d23493d7(a)gmail.com>
Content-Type: text/plain; charset=utf-8
Hello,
the GIT branch 5.1 has just been created, it will host the release
series 5.1.x. To get this branch from GIT, you can use:
git clone https://github.com/kamailio/kamailio.git kamailio
cd kamailio
git checkout -b 5.1 origin/5.1
Hopefully in two-three weeks time frame the full release of 5.1.0 will
be out.
Subject: [SR-Users] Development open in
master branch (to be v5.2.x)
Message-ID: <07baf03f-0d1b-30f6-45d2-cacfc3dfec99(a)gmail.com>
Content-Type: text/plain; charset=utf-8
Hello,
git branch 5.1 was just created (to host the release series v5.1.x),
therefore new features can now be pushed again in master branch. They
will be part of the next future release, likely to be numbered 5.2.x.
Any fixes that affect existing code in branches 5.1 or older version
have to be backported - push first to master and then cherry pick -- see
the contributing guidelines at:
-
https://www.kamailio.org/wiki/devel/git-commit-guidelines#
backporting_commits
Many thanks to all contributors so far! Testing of branch 5.1 and giving
feedback for it is very appreciated!
Cheers,
Daniel
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - www.kamailioworld.com
------------------------------
Message: 3
Date: Mon, 13 Nov 2017 09:22:17 +0100
From: Daniel-Constantin Mierla <miconda(a)gmail.com>
To: "Kamailio (SER) - Users Mailing List"
<sr-users(a)lists.kamailio.org>rg>, Yuriy Gorlichenko <
ovoshlook(a)gmail.com>
Subject: Re: [SR-Users] using bcrypt passwd hashing
Message-ID: <c7bb57e5-16dd-f5c2-f4ac-e3060f3b45bb(a)gmail.com>
Content-Type: text/plain; charset="utf-8"
On 12.11.17 10:33, Yuriy Gorlichenko wrote:
> You can realize any of auth methods by yourself and include it via
> config file/kemi on lua/by adding module
> forexample I added SSO auth without
any troubles instead of basid MD5
> for some projects.
Out of curiosity, what do you refer by SSO?
Cheers,
Daniel
> 2017-11-11 18:49 GMT+03:00 Alex
Balashov <abalashov(a)evaristesys.com
> <mailto:abalashov@evaristesys.com>>:
> Do you know of any mainstream SIP
UACs which support anything
> other than standard MD5 digest auth?
> On November 10, 2017 7:11:26 PM
EST, "Walter Martín Villalba"
> <wvillalba(a)gmail.com <mailto:wvillalba@gmail.com>> wrote:
> >Hello,
> > >I did some searches
online and talked to some colleagues and it
seems
> >If any of you have
done something like this, using bcrypt or any
> other
> >current and secure hashing algorithm, I would appreciate some
> guidance.
> > If
> >you haven't, aren't you concerned about storing MD5 password
> hashes in
> >your
> >database?
> > >Note: if I can't
find a good answer using this list, I will try the
> >developer's list next.
> > >Thanks in advance,
> > >Martín.
> -- Alex
> --
> Sent via mobile, please forgive typos and brevity.
>
_______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users(a)lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - www.asipto.com
Kamailio World Conference - www.kamailioworld.com
From now on, any corresponding fix has to be
pushed first to master
branch and then cherry-picked to branch 5.1. No new features
can get in
branch 5.1. Enhancements to documentation or helping tools, as well as
kemi exports are still allowed. If you are not sure about doing or not a
backport, ask on sr-dev mailing list.
Cheers,
Daniel
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - www.kamailioworld.com
------------------------------
Message: 2
Date: Sun, 12 Nov 2017 14:50:45 +0100
From: Daniel-Constantin Mierla <miconda(a)gmail.com>
To: "Kamailio (SER) - Devel Mailing List" <sr-dev(a)lists.kamailio.org>rg>,
"Kamailio (SER) - Users Mailing List" <sr-users(a)lists.kamailio.org
>Kamailio only supports the traditional
HTTP digest authentication,
>which
>uses MD5. I would like to know if any of you has been successful in
>using
>bcrypt/scrypt/pbkdf2 passwd hashing, instead of MD5, which has been
>deemed
>as obsolete and insecure a long time ago. Perhaps you've written
your
> >own
> >auth module, or just modified the config script to call some other
> >credential checking routine using a custom python/perl script (I'm
> >thinking
> >of doing the latter, of nothing better is available).
>
2629
days inactive
2629
days old
0 comments
1 participants
participants (1)
-
Walter Martín Villalba