<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
You can store only the ha1 (and ha1b if you have clients using that
form of auth username) in subscriber table (no plain text password
in database) and set calculate_ha1 -- see also the parameters
related to columns of auth_db for further adjustments.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<div class="moz-cite-prefix">On 27/12/14 11:02, Olli Heiskanen
wrote:<br>
</div>
<blockquote
cite="mid:CALu7wuaLKgwzJ8LSYtceCdRodga89bUvH9i0df1baQnkd+r4VA@mail.gmail.com"
type="cite">
<div dir="ltr">Thanks for your input, I thought about working with
pv_auth_check, but the problem is I can't decrypt the passwords
from the database, they will be either md5 hashes or some other
hashes that can't be decrypted. Also I can't access the password
user is sending in order to encrypt it, so this way of solving
my problem seems to be impossible as I suspected.
<div><br>
</div>
<div>I'll have to solve the problem some other way, but thanks
very much for your excellent response.</div>
<div><br>
</div>
<div>Thanks<br>
<div>
<div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-12-27 8:48 GMT+02:00 Muhammad
Shahzad <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:shaheryarkh@gmail.com" target="_blank">shaheryarkh@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>I am not sure if i understand your question
correctly, but if you want to use any authentication
source or encryption algorithm (for back-end storage,
e.g. for compliance with PCI DSS v2.0 and above) other
then standard db and ha1 hash then you may consider
using pv_auth_check,<br>
<br>
<a moz-do-not-send="true"
href="http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.f.pv_auth_check"
target="_blank">http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.f.pv_auth_check</a><br>
<br>
</div>
just query whatever subscriber back-end you have, fetch
the password (decrypt according to your architecture
requirements) and supply it to this method through AVP.
I recommend never to use plain text passwords, even in
this scenario (you should make ha1 hash before
encrypting it specific to your back-end requirements, so
that when kamailio script decrypts it at run time, it
would get ha1 hash, rather then plaintext, thus keep it
somewhat safe even against memory exploits from remote
hackers).<br>
<br>
</div>
Regarding the digest response hash sent by client, no it
is not possible to decrypt it (at least under normal
circumstance). You may find ways to modify the response
hash, but it would be most likely pointless (since you do
not know what was actually entered by the user as
password).<br>
<div>
<div><br>
</div>
<div>Thank you.<br>
</div>
<div><br>
<br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div class="h5">On Fri, Dec 26, 2014 at 7:33 PM, Olli
Heiskanen <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ohjelmistoarkkitehti@gmail.com"
target="_blank">ohjelmistoarkkitehti@gmail.com</a>></span>
wrote:<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div class="h5">
<div dir="ltr">
<div><br>
</div>
<div>Hello all,</div>
<div><br>
</div>
<div>During authentication, is there any way to
affect the password user is sending? I do
suspect not as it is a clear security matter,
but won't hurt to ask. I use auth_db module
with calculate_ha1 parameter set to 1. For
reasons in integrating Kamailio into my system
architecture there is a need to store a
password in some other format than for example
md5('555:domain.com:password)') while not
allowing any passwords to be stored as
plaintext. </div>
<div><br>
</div>
<div>For example:
md5('555:domain.com:md5('password')') but this
would require me to hash the password before
authentication, in Kamailio script as I can't
do it in the clients. </div>
<div><br>
</div>
<div>Reason for this question is to have my
users in a separate database, and these users
could have 0-n sip peers assigned to them, and
have users authenticate to my software and the
sip peers using the same password.</div>
<div><br>
</div>
<div>cheers,</div>
<div>Olli</div>
</div>
<br>
</div>
</div>
_______________________________________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) -
sr-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:sr-users@lists.sip-router.org"
target="_blank">sr-users@lists.sip-router.org</a><br>
<a moz-do-not-send="true"
href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users"
target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
_______________________________________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
mailing list<br>
<a moz-do-not-send="true"
href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a><br>
<a moz-do-not-send="true"
href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users"
target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a></pre>
</body>
</html>