[Freeswitch-users] xml_curl directory - doing authentication in cgi, how to recreate user's password?
Vitalie Colosov
vetali100 at gmail.com
Wed Nov 30 01:29:09 MSK 2011
This might solve your problem:
http://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#a1-hash
In short, you should hash not only the "password", but the concatenation of
"username:domain:password"
Then use xml_curl to return this hashed value and FS will do
the authentication for you.
Please let me know if this helps.
Regards,
Vitalie
2011/11/29 Fraser Redmond <fraserredmond at gmail.com>
> Thanks Randy... but I think either I don't understand you, or you don't
> understand me...
>
> The password stored in the database has been hashed using mysql's ENCRYPT
> function with a seed (because it's not good security policy to store a
> password in any recoverable format.)
>
> I think you're saying that the nonce is also a hashed version of the
> password that also can't be reverted back to the original password - is
> that right?
>
> Which means that I now have two hashes which have been generated using
> different methods, so there's no way to compare them - cant compare within
> the cgi, and can't send the Freeswitch format back for Freeswitch to
> compare.
>
> If that's the case (and I'd still like to be clear on that), is it
> possible to pass through the password in addition? (I'll be using https, so
> sending without hashing is ok.)
>
> Cheers,
> Fraser
>
>
>
>
>
> On 28 November 2011 23:59, Rendy <rendyfrx at gmail.com> wrote:
>
>> Hi,
>> Why don't you let your user authenticate using hashed password then in
>> php you return the user xml with the hashed password that is stored.
>> In that way, you will not have any issue. I don't think you can
>> rebuild the original password as what hash function is meant to be one
>> way only.
>>
>>
>> On Tue, Nov 29, 2011 at 11:45 AM, Fraser Redmond
>> <fraserredmond at gmail.com> wrote:
>> > I am setting up a connection to a database of users, whose passwords
>> have
>> > been saved as a one-way hash.
>> > That means that my xml_curl php/sql will need to perform the
>> authentication,
>> > and return a user without any password.
>> > (According to Anthony, back in
>> > 2008:
>> http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html
>> )
>> > Only thing is I can't find any mention anywhere of how to re-generate
>> the
>> > user's password from the sip_auth variables in order to run it through
>> my
>> > one-way hash for comparison to the database.
>> > It's got to be something to do with these:
>> > sip_auth_nonce = 4d95dd9f-2247-474a-8496-aa7c08700fe7
>> > sip_auth_cnonce = a088c6b6ba18d1387a45998b6bfa842d
>> > sip_auth_nc = 0000000a
>> > sip_auth_response = 9edefab216a46ed75f1ed1297dd9c9d3
>> > Any ideas how to rebuild the original user's password?
>> > Or is there a way to send the password through as part of the post?
>> (maybe
>> > using enable-post-var)
>> > Cheers,
>> > Fraser
>> >
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111129/fc677f74/attachment-0001.html
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list