Thanks Vitalie, you're right that would work. <div><br></div><div>Unfortunately, I'm dealing with an existing set of users, and resetting everyone's passwords so as to hash them differently isn't going to be an option.<div>
<br></div><div>I'm hoping that one of the freeswitch developers can make it possible to access the original sip_auth_password value (or a param in the xml_curl conf to tell it to send the password as plain text.)</div>
<div><br clear="all">Cheers,<br>Fraser<br><br><br>
<br><br><div class="gmail_quote">On 29 November 2011 19:03, Vitalie Colosov <span dir="ltr"><<a href="mailto:vetali100@gmail.com">vetali100@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div>My suggestion is based on the assumption that you can implement md5 hash method to store users credentials in the database. If so, then you can read further.</div><div><br></div>When a user registers, Freeswitch is doing md5 on the following value - username:domain:password<div>
<br></div><div>Domain can be hardcoded to any value in the internal profile:</div><div><br></div><div><pre style="padding-top:1em;padding-right:1em;padding-bottom:1em;padding-left:1em;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:dashed;border-right-style:dashed;border-bottom-style:dashed;border-left-style:dashed;border-top-color:rgb(47,111,171);border-right-color:rgb(47,111,171);border-bottom-color:rgb(47,111,171);border-left-color:rgb(47,111,171);background-color:rgb(255,255,255);line-height:1.1em">
<param name="challenge-realm" value="some_domain"/> </pre><div><br></div><div>So, when a user will register, your xml_curl will need to respond with the value of a1-hash:</div><div><br></div><div>
<pre style="padding-top:1em;padding-right:1em;padding-bottom:1em;padding-left:1em;border-top-width:1px;border-right-width:1px;border-bottom-width:1px;border-left-width:1px;border-top-style:dashed;border-right-style:dashed;border-bottom-style:dashed;border-left-style:dashed;border-top-color:rgb(47,111,171);border-right-color:rgb(47,111,171);border-bottom-color:rgb(47,111,171);border-left-color:rgb(47,111,171);background-color:rgb(255,255,255);line-height:1.1em">
<param name="a1-hash" value="c6440e5de50b403206989679159de89a (example!)"/></pre></div><div><br></div><div>When you create a user 1001, which has password 12345, you will need to store in the database the md5 hash value of the following string: 1001:some_domain:12345</div>
<div><br></div><div>In php you can do it by using - md5($user.":some_domain:".$password)</div><div><br></div><div>Obviously, if you need to hash only the password (without user id and domain) than this approach will not work for you.</div>
<div>However I don't see why you can't hash the whole string.</div><div><div class="h5"><div><br></div><div><br></div><div>Regards,</div><div>Vitalie</div><div><br></div><div><br></div><div><br><br><div class="gmail_quote">
2011/11/29 Fraser Redmond <span dir="ltr"><<a href="mailto:fraserredmond@gmail.com" target="_blank">fraserredmond@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks Vitalie, but the problem is that I don't have the password to concatenate into the string - I only have the result of a one-way hash. <div>
<br></div><div>The equivalent would be I had a file and did an md5 hash on it, I now have the md5 hash, but don't have the original file. Freeswitch is doing a different type of hash on the password entered by the user into the phone, and sending the result of that, and now I have the different results of the two different algorithm's to compare, which will always be different, even though they were both based on the same input (the password string.)</div>
<div><br></div><div>So what I need is for Freeswitch to send the original password through instead of only sending several different hashes of it.<br><div><br></div><div>I tried sending sip_auth_password through using <span>enable-post-var, but it's not available - can that be added to the possible variables?</span><span> </span><span>(sip_auth_username does work)</span></div>
<div><br clear="all">Cheers,<br><font color="#888888">Fraser</font><div><div></div><div><br><br><br>
<br><br><div class="gmail_quote">On 29 November 2011 17:29, Vitalie Colosov <span dir="ltr"><<a href="mailto:vetali100@gmail.com" target="_blank">vetali100@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This might solve your problem:<div><br></div><div><a href="http://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#a1-hash" target="_blank">http://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#a1-hash</a></div><div>
<br>
</div><div>In short, you should hash not only the "password", but the concatenation of "<span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)">username:domain:password"</span></div>
<div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)"><br></span></div><div><span style="background-color:rgb(255,255,255)"><font face="sans-serif"><span style="line-height:19px">Then use xml_curl to return this hashed value and FS will do the authentication for you.</span></font></span></div>
<div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)"><br></span></div><div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)">Please let me know if this helps.</span></div>
<div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)"><br></span></div><div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)">Regards,</span></div>
<div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)">Vitalie</span></div><div><br><br><div class="gmail_quote">2011/11/29 Fraser Redmond <span dir="ltr"><<a href="mailto:fraserredmond@gmail.com" target="_blank">fraserredmond@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Thanks Randy... but I think either I don't understand you, or you don't understand me...<div>
<br></div><div>The password stored in the database has been hashed using mysql's ENCRYPT function with a seed (because it's not good security policy to store a password in any recoverable format.)</div>
<div><br></div><div>I think you're saying that the nonce is also a hashed version of the password that also can't be reverted back to the original password - is that right?</div><div><br></div><div>Which means that I now have two hashes which have been generated using different methods, so there's no way to compare them - cant compare within the cgi, and can't send the Freeswitch format back for Freeswitch to compare.</div>
<div><br></div><div>If that's the case (and I'd still like to be clear on that), is it possible to pass through the password in addition? (I'll be using https, so sending without hashing is ok.)</div><div>
<br clear="all">Cheers,<br><font color="#888888">Fraser</font><div><div></div><div><br><br><br>
<br><br><div class="gmail_quote">On 28 November 2011 23:59, Rendy <span dir="ltr"><<a href="mailto:rendyfrx@gmail.com" target="_blank">rendyfrx@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
Why don't you let your user authenticate using hashed password then in<br>
php you return the user xml with the hashed password that is stored.<br>
In that way, you will not have any issue. I don't think you can<br>
rebuild the original password as what hash function is meant to be one<br>
way only.<br>
<div><div><br>
<br>
On Tue, Nov 29, 2011 at 11:45 AM, Fraser Redmond<br>
<<a href="mailto:fraserredmond@gmail.com" target="_blank">fraserredmond@gmail.com</a>> wrote:<br>
> I am setting up a connection to a database of users, whose passwords have<br>
> been saved as a one-way hash.<br>
> That means that my xml_curl php/sql will need to perform the authentication,<br>
> and return a user without any password.<br>
> (According to Anthony, back in<br>
> 2008: <a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html" target="_blank">http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html</a> )<br>
> Only thing is I can't find any mention anywhere of how to re-generate the<br>
> user's password from the sip_auth variables in order to run it through my<br>
> one-way hash for comparison to the database.<br>
> It's got to be something to do with these:<br>
> sip_auth_nonce = 4d95dd9f-2247-474a-8496-aa7c08700fe7<br>
> sip_auth_cnonce = a088c6b6ba18d1387a45998b6bfa842d<br>
> sip_auth_nc = 0000000a<br>
> sip_auth_response = 9edefab216a46ed75f1ed1297dd9c9d3<br>
> Any ideas how to rebuild the original user's password?<br>
> Or is there a way to send the password through as part of the post? (maybe<br>
> using enable-post-var)<br>
> Cheers,<br>
> Fraser<br>
></div></div></blockquote></div></div></div></div>
<br></div></div><div><br></div></blockquote></div></div></blockquote></div></div></div></div></div></blockquote></div></div></div></div></div></blockquote></div></div></div>