[Spce-user] Hide customer password in Kamailio DB

Raúl Alexis Betancor Santana rabs at dimension-virtual.com
Thu Apr 30 12:11:16 EDT 2015


Marc, 

HA1 and HA1_2 are not 'unencrypted' text ... they are HASH values, generated from the user URI, the REALM and the PASSWORD ... your could not use the HA1 and HA1_2 values for anything than 'check' if the sended (by the SIP UA) credentials are Ok, you could not use them to 'know' the unencrypted password. 

Best regards 

> De: "Marc Storck" <mstorck at voipgate.com>
> Para: "<spce-user at lists.sipwise.com>" <spce-user at lists.sipwise.com>
> Enviados: Jueves, 30 de Abril 2015 12:57:35
> Asunto: Re: [Spce-user] Hide customer password in Kamailio DB

> What is the difference from reading the plain text (unencrypted) password or
> reading the plain text (unencrypted) HA1 and HA1_2 values from DB?

> AFAIK, an attacker, who was able to read either of them from your DB, can use
> those values to correctly authenticate to the SPCE in any case.

>> On 30 Apr 2015, at 13:45, Mathys Frédéric < frederic.mathys at nagra.com > wrote:
>> Hello,
>> When creating a new user, by default the password is saved in plaintext in the
>> DB, column “password”. For obvious security reasons, I’d like to remove the
>> password in this column and use only ha1 and ha1b values. To do that, I
>> modified the “auth_db” module configuration :
>> /etc/kamailio/proxy/kamailio.cfg
>> modparam("auth_db", "use_domain", 1)
>> modparam("auth_db", "calculate_ha1", 0)
>> modparam("auth_db", "password_column", "ha1")
>> modparam("auth_db", "password_column_2", "ha1_2")
>> Then, I removed the password for all users in the DB, and everyone seems able to
>> connect with this configuration. My problem is now when I create a new user,
>> the password is automatically saved in plaintext and I don’t want that. So I
>> tried to modify “kamctlrc” by adding the following line :
>> /etc/kamailio/proxy/kamctlrc and /etc/kamailio/lb/kamctlrc
>> STORE_PLAINTEXT_PW=0
>> This has no effect, what should I do to disable that?
>> Thank you
>> Frederic Mathys
>> System Integration & Validation Engineer
>> P Please consider the environment - do you really need to print this email ?
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> https://lists.sipwise.com/listinfo/spce-user

> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20150430/0429e6d9/attachment-0001.html>


More information about the Spce-user mailing list