[Freeswitch-users] xml_curl directory - doing authentication in cgi, how to recreate user's password?
Fraser Redmond
fraserredmond at gmail.com
Wed Nov 30 03:33:31 MSK 2011
Thanks Rendy, but they're hashed differently, so I can't return the hash
from the database, as it wouldn't match with the hash generated by
Freeswitch.
It really looks like I need to get Freeswitch to send the original password
string to the cgi/application.
Cheers,
Fraser
On 29 November 2011 19:26, Rendy <rendyfrx at gmail.com> wrote:
> Hi Fraser,
> What I mean is like this, when user trying to authenticate says via
> your application, can you hashed the password in the same manner
> before sending to Freeswitch (says MD5)? If yes, then in your php, you
> should return the XML with hashed user password that you retrieve from
> DB and let Freeswitch compare for you. You do not need to compare
> yourself.
>
> Hope I understand your problem correctly and this can solved it :)
>
>
> On Wed, Nov 30, 2011 at 12:19 AM, Fraser Redmond
> <fraserredmond at gmail.com> wrote:
> > Thanks Randy... but I think either I don't understand you, or you don't
> > understand me...
> >
> > The password stored in the database has been hashed using mysql's ENCRYPT
> > function with a seed (because it's not good security policy to store a
> > password in any recoverable format.)
> >
> > I think you're saying that the nonce is also a hashed version of the
> > password that also can't be reverted back to the original password - is
> that
> > right?
> >
> > Which means that I now have two hashes which have been generated using
> > different methods, so there's no way to compare them - cant compare
> within
> > the cgi, and can't send the Freeswitch format back for Freeswitch to
> > compare.
> >
> > If that's the case (and I'd still like to be clear on that), is it
> possible
> > to pass through the password in addition? (I'll be using https, so
> sending
> > without hashing is ok.)
> >
> > Cheers,
> > Fraser
> >
> >
> >
> >
> >
> > On 28 November 2011 23:59, Rendy <rendyfrx at gmail.com> wrote:
> >>
> >> Hi,
> >> Why don't you let your user authenticate using hashed password then in
> >> php you return the user xml with the hashed password that is stored.
> >> In that way, you will not have any issue. I don't think you can
> >> rebuild the original password as what hash function is meant to be one
> >> way only.
> >>
> >>
> >> On Tue, Nov 29, 2011 at 11:45 AM, Fraser Redmond
> >> <fraserredmond at gmail.com> wrote:
> >> > I am setting up a connection to a database of users, whose passwords
> >> > have
> >> > been saved as a one-way hash.
> >> > That means that my xml_curl php/sql will need to perform the
> >> > authentication,
> >> > and return a user without any password.
> >> > (According to Anthony, back in
> >> >
> >> > 2008:
> http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html
> )
> >> > Only thing is I can't find any mention anywhere of how to re-generate
> >> > the
> >> > user's password from the sip_auth variables in order to run it through
> >> > my
> >> > one-way hash for comparison to the database.
> >> > It's got to be something to do with these:
> >> > sip_auth_nonce = 4d95dd9f-2247-474a-8496-aa7c08700fe7
> >> > sip_auth_cnonce = a088c6b6ba18d1387a45998b6bfa842d
> >> > sip_auth_nc = 0000000a
> >> > sip_auth_response = 9edefab216a46ed75f1ed1297dd9c9d3
> >> > Any ideas how to rebuild the original user's password?
> >> > Or is there a way to send the password through as part of the post?
> >> > (maybe
> >> > using enable-post-var)
> >> > Cheers,
> >> > Fraser
> >> >
> >
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> >
> >
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://wiki.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
> >
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111129/0c3eb21a/attachment-0001.html
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list