[Freeswitch-users] xml_curl directory - doing authentication in cgi, how to recreate user's password?

Rendy rendyfrx at gmail.com
Wed Nov 30 03:26:13 MSK 2011


Hi Fraser,
What I mean is like this, when user trying to authenticate says via
your application, can you hashed the password in the same manner
before sending to Freeswitch (says MD5)? If yes, then in your php, you
should return the XML with hashed user password that you retrieve from
DB and let Freeswitch compare for you. You do not need to compare
yourself.

Hope I understand your problem correctly and this can solved it :)


On Wed, Nov 30, 2011 at 12:19 AM, Fraser Redmond
<fraserredmond at gmail.com> wrote:
> Thanks Randy... but I think either I don't understand you, or you don't
> understand me...
>
> The password stored in the database has been hashed using mysql's ENCRYPT
> function with a seed (because it's not good security policy to store a
> password in any recoverable format.)
>
> I think you're saying that the nonce is also a hashed version of the
> password that also can't be reverted back to the original password - is that
> right?
>
> Which means that I now have two hashes which have been generated using
> different methods, so there's no way to compare them - cant compare within
> the cgi, and can't send the Freeswitch format back for Freeswitch to
> compare.
>
> If that's the case (and I'd still like to be clear on that), is it possible
> to pass through the password in addition? (I'll be using https, so sending
> without hashing is ok.)
>
> Cheers,
> Fraser
>
>
>
>
>
> On 28 November 2011 23:59, Rendy <rendyfrx at gmail.com> wrote:
>>
>> Hi,
>> Why don't you let your user authenticate using hashed password then in
>> php you return the user xml with the hashed password that is stored.
>> In that way, you will not have any issue. I don't think you can
>> rebuild the original password as what hash function is meant to be one
>> way only.
>>
>>
>> On Tue, Nov 29, 2011 at 11:45 AM, Fraser Redmond
>> <fraserredmond at gmail.com> wrote:
>> > I am setting up a connection to a database of users, whose passwords
>> > have
>> > been saved as a one-way hash.
>> > That means that my xml_curl php/sql will need to perform the
>> > authentication,
>> > and return a user without any password.
>> > (According to Anthony, back in
>> >
>> > 2008: http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html )
>> > Only thing is I can't find any mention anywhere of how to re-generate
>> > the
>> > user's password from the sip_auth variables in order to run it through
>> > my
>> > one-way hash for comparison to the database.
>> > It's got to be something to do with these:
>> > sip_auth_nonce = 4d95dd9f-2247-474a-8496-aa7c08700fe7
>> > sip_auth_cnonce = a088c6b6ba18d1387a45998b6bfa842d
>> > sip_auth_nc = 0000000a
>> > sip_auth_response = 9edefab216a46ed75f1ed1297dd9c9d3
>> > Any ideas how to rebuild the original user's password?
>> > Or is there a way to send the password through as part of the post?
>> > (maybe
>> > using enable-post-var)
>> > Cheers,
>> > Fraser
>> >
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list