[Freeswitch-users] Question about a1-hash

Mike van Lammeren mike at van.lammeren.net
Thu Jan 14 08:24:42 PST 2010


That's awesome! I should have noticed those 32-character strings in the
parameters passed to the script. Thanks!

It's a little off-topic, but I'm glad to see someone using digest
authentication. It's too bad that it was un-supported by browsers for so
long, that no one touched it for web apps. The choice is either use basic
authentication, which is plaintext, or switch to https. With https, not
everyone realizes that the web server, and any apps, can see the password in
plain text.

Mike van Lammeren


On Thu, Jan 14, 2010 at 11:00 AM, Brian West <brian at freeswitch.org> wrote:

> We don't have the password so we can't pass it to you please read:
> http://en.wikipedia.org/wiki/Digest_access_authentication
>
> Its how the authentication is done and we are never given the text of the
> password you are however given the details so you can calculate the response
> and verify it without having to know the password.
>
> /b
>
> On Jan 14, 2010, at 9:44 AM, Mike van Lammeren wrote:
>
> Hello!
>
> I have written a Lua script to connect to a database and provide directory
> information for phones registering with FreeSWITCH.
>
> My problem is that I store an MD5 hash of the passwords in the database, so
> I wish there was a way to get FreeSWITCH to authenticate using the MD5 hash
> of the password provided by the phone, and not the password itself.
>
> According to the wiki<http://wiki.freeswitch.org/wiki/XML_User_Directory_Guide>,
> it is possible to pass in a parameter called *a1-hash* instead of the
> username and password. The a1-hash parameter is an MD5 hash of a string
> comprising the username, domain and password, separated by
> colons. Unfortunately, I can't generate that string, since I don't have the
> raw password, just the MD5 hash.
>
> I would have my Lua script do the authentication, but cannot because
> FreeSWITCH doesn't pass the user's password to the script.
>
> The best solution I can think of is to enter the MD5 hash of the password
> in the phone.
>
> Does anyone have a better idea?
>
>
> Mike van Lammeren
>
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100114/fecd70d7/attachment-0002.html 


More information about the FreeSWITCH-users mailing list