[Spce-user] Hide customer password in Kamailio DB

Marc Storck mstorck at voipgate.com
Thu Apr 30 08:48:02 EDT 2015 

OK. I don’t allow the user to define/change the SIP password online for several reasons:

- some users think it might be a good idea to change the password at certain intervals, but they have now clue how to reconfigure the device that’s using the credentials (you may imagine the number of support calls/emails)
- the password for the SIP account should be unique and not used anywhere else

So we randomly generate a 12 (currently) character password, some PBXs only support passwords upto 8 characters so we allow this for those type of accounts.

Regards,

Marc

> On 30 Apr 2015, at 14:41, Mathys Frédéric <frederic.mathys at nagra.com> wrote:
> 
> The difference is when a user sets the same password for the SIP server and for his email account (for example), I don’t want to keep it in clear in the DB. I do understand that it will not block an attacker to authenticate to the SPCE, but I don’t want him to have clear text passwords maybe granting access to others services.
> 
> From: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] On Behalf Of Marc Storck
> Sent: Thursday 30 April 2015 13:58
> To: <spce-user at lists.sipwise.com>
> Subject: Re: [Spce-user] Hide customer password in Kamailio DB
> 
> What is the difference from reading the plain text (unencrypted) password or reading the plain text (unencrypted) HA1 and HA1_2 values from DB?
> 
> AFAIK, an attacker, who was able to read either of them from your DB, can use those values to correctly authenticate to the SPCE in any case.
> 
> On 30 Apr 2015, at 13:45, Mathys Frédéric <frederic.mathys at nagra.com <mailto:frederic.mathys at nagra.com>> wrote:
> 
> Hello,
> 
> When creating a new user, by default the password is saved in plaintext in the DB, column “password”. For obvious security reasons, I’d like to remove the password in this column and use only ha1 and ha1b values. To do that, I modified the “auth_db” module configuration :
> 
> /etc/kamailio/proxy/kamailio.cfg
> modparam("auth_db", "use_domain", 1)
> modparam("auth_db", "calculate_ha1", 0)
> modparam("auth_db", "password_column", "ha1")
> modparam("auth_db", "password_column_2", "ha1_2")
> 
> Then, I removed the password for all users in the DB, and everyone seems able to connect with this configuration. My problem is now when I create a new user, the password is automatically saved in plaintext and I don’t want that. So I tried to modify “kamctlrc” by adding the following line :
> 
> /etc/kamailio/proxy/kamctlrc and /etc/kamailio/lb/kamctlrc
> STORE_PLAINTEXT_PW=0
> 
> This has no effect, what should I do to disable that?
> 
> Thank you
> 
> Frederic Mathys
> System Integration & Validation Engineer
> P Please consider the environment - do you really need to print this email ?
> 
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com <mailto:Spce-user at lists.sipwise.com>
> https://lists.sipwise.com/listinfo/spce-user <https://lists.sipwise.com/listinfo/spce-user>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20150430/2a4fe671/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20150430/2a4fe671/attachment-0001.asc>

More information about the Spce-user mailing list