[Freeswitch-users] xml_curl directory - doing authentication in cgi, how to recreate user's password?

Fraser Redmond fraserredmond at gmail.com
Tue Nov 29 19:19:08 MSK 2011


Thanks Randy... but I think either I don't understand you, or you don't
understand me...

The password stored in the database has been hashed using mysql's ENCRYPT
function with a seed (because it's not good security policy to store a
password in any recoverable format.)

I think you're saying that the nonce is also a hashed version of the
password that also can't be reverted back to the original password - is
that right?

Which means that I now have two hashes which have been generated using
different methods, so there's no way to compare them - cant compare within
the cgi, and can't send the Freeswitch format back for Freeswitch to
compare.

If that's the case (and I'd still like to be clear on that), is it possible
to pass through the password in addition? (I'll be using https, so sending
without hashing is ok.)

Cheers,
Fraser




On 28 November 2011 23:59, Rendy <rendyfrx at gmail.com> wrote:

> Hi,
> Why don't you let your user authenticate using hashed password then in
> php you return the user xml with the hashed password that is stored.
> In that way, you will not have any issue. I don't think you can
> rebuild the original password as what hash function is meant to be one
> way only.
>
>
> On Tue, Nov 29, 2011 at 11:45 AM, Fraser Redmond
> <fraserredmond at gmail.com> wrote:
> > I am setting up a connection to a database of users, whose passwords have
> > been saved as a one-way hash.
> > That means that my xml_curl php/sql will need to perform the
> authentication,
> > and return a user without any password.
> > (According to Anthony, back in
> > 2008:
> http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html
>  )
> > Only thing is I can't find any mention anywhere of how to re-generate the
> > user's password from the sip_auth variables in order to run it through my
> > one-way hash for comparison to the database.
> > It's got to be something to do with these:
> > sip_auth_nonce = 4d95dd9f-2247-474a-8496-aa7c08700fe7
> > sip_auth_cnonce = a088c6b6ba18d1387a45998b6bfa842d
> > sip_auth_nc = 0000000a
> > sip_auth_response = 9edefab216a46ed75f1ed1297dd9c9d3
> > Any ideas how to rebuild the original user's password?
> > Or is there a way to send the password through as part of the post?
> (maybe
> > using enable-post-var)
> > Cheers,
> > Fraser
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111129/a4dd8526/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list