[Freeswitch-users] xml_curl directory - doing authentication in cgi, how to recreate user's password?

Fraser Redmond fraserredmond at gmail.com
Wed Nov 30 02:30:10 MSK 2011


Thanks Vitalie, but the problem is that I don't have the password to
concatenate into the string - I only have the result of a one-way hash.

The equivalent would be I had a file and did an md5 hash on it, I now have
the md5 hash, but don't have the original file. Freeswitch is doing a
different type of hash on the password entered by the user into the phone,
and sending the result of that, and now I have the different results of the
two different algorithm's to compare, which will always be different, even
though they were both based on the same input (the password string.)

So what I need is for Freeswitch to send the original password through
instead of only sending several different hashes of it.

I tried sending sip_auth_password through using enable-post-var, but it's
not available - can that be added to the possible variables? (sip_auth_username
does work)

Cheers,
Fraser




On 29 November 2011 17:29, Vitalie Colosov <vetali100 at gmail.com> wrote:

> This might solve your problem:
>
> http://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#a1-hash
>
> In short, you should hash not only the "password", but the concatenation
> of "username:domain:password"
>
> Then use xml_curl to return this hashed value and FS will do
> the authentication for you.
>
> Please let me know if this helps.
>
> Regards,
> Vitalie
>
>
> 2011/11/29 Fraser Redmond <fraserredmond at gmail.com>
>
>> Thanks Randy... but I think either I don't understand you, or you don't
>> understand me...
>>
>> The password stored in the database has been hashed using mysql's ENCRYPT
>> function with a seed (because it's not good security policy to store a
>> password in any recoverable format.)
>>
>> I think you're saying that the nonce is also a hashed version of the
>> password that also can't be reverted back to the original password - is
>> that right?
>>
>> Which means that I now have two hashes which have been generated using
>> different methods, so there's no way to compare them - cant compare within
>> the cgi, and can't send the Freeswitch format back for Freeswitch to
>> compare.
>>
>> If that's the case (and I'd still like to be clear on that), is it
>> possible to pass through the password in addition? (I'll be using https, so
>> sending without hashing is ok.)
>>
>> Cheers,
>> Fraser
>>
>>
>>
>>
>>
>> On 28 November 2011 23:59, Rendy <rendyfrx at gmail.com> wrote:
>>
>>> Hi,
>>> Why don't you let your user authenticate using hashed password then in
>>> php you return the user xml with the hashed password that is stored.
>>> In that way, you will not have any issue. I don't think you can
>>> rebuild the original password as what hash function is meant to be one
>>> way only.
>>>
>>>
>>> On Tue, Nov 29, 2011 at 11:45 AM, Fraser Redmond
>>> <fraserredmond at gmail.com> wrote:
>>> > I am setting up a connection to a database of users, whose passwords
>>> have
>>> > been saved as a one-way hash.
>>> > That means that my xml_curl php/sql will need to perform the
>>> authentication,
>>> > and return a user without any password.
>>> > (According to Anthony, back in
>>> > 2008:
>>> http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html
>>>  )
>>> > Only thing is I can't find any mention anywhere of how to re-generate
>>> the
>>> > user's password from the sip_auth variables in order to run it through
>>> my
>>> > one-way hash for comparison to the database.
>>> > It's got to be something to do with these:
>>> > sip_auth_nonce = 4d95dd9f-2247-474a-8496-aa7c08700fe7
>>> > sip_auth_cnonce = a088c6b6ba18d1387a45998b6bfa842d
>>> > sip_auth_nc = 0000000a
>>> > sip_auth_response = 9edefab216a46ed75f1ed1297dd9c9d3
>>> > Any ideas how to rebuild the original user's password?
>>> > Or is there a way to send the password through as part of the post?
>>> (maybe
>>> > using enable-post-var)
>>> > Cheers,
>>> > Fraser
>>> >
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111129/b0b57764/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list