Thanks Vitalie, but the problem is that I don't have the password to concatenate into the string - I only have the result of a one-way hash. <div><br></div><div>The equivalent would be I had a file and did an md5 hash on it, I now have the md5 hash, but don't have the original file. Freeswitch is doing a different type of hash on the password entered by the user into the phone, and sending the result of that, and now I have the different results of the two different algorithm's to compare, which will always be different, even though they were both based on the same input (the password string.)</div>
<div><br></div><div>So what I need is for Freeswitch to send the original password through instead of only sending several different hashes of it.<br><div><br></div><div>I tried sending sip_auth_password through using <span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">enable-post-var, but it's not available - can that be added to the possible variables?</span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); "> </span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">(sip_auth_username does work)</span></div>
<div><br clear="all">Cheers,<br>Fraser<br><br><br>
<br><br><div class="gmail_quote">On 29 November 2011 17:29, Vitalie Colosov <span dir="ltr"><<a href="mailto:vetali100@gmail.com">vetali100@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
This might solve your problem:<div><br></div><div><a href="http://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#a1-hash" target="_blank">http://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#a1-hash</a></div><div>
<br>
</div><div>In short, you should hash not only the "password", but the concatenation of "<span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)">username:domain:password"</span></div>
<div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)"><br></span></div><div><span style="background-color:rgb(255,255,255)"><font face="sans-serif"><span style="line-height:19px">Then use xml_curl to return this hashed value and FS will do the authentication for you.</span></font></span></div>
<div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)"><br></span></div><div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)">Please let me know if this helps.</span></div>
<div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)"><br></span></div><div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)">Regards,</span></div>
<div><span style="font-family:sans-serif;font-size:13px;line-height:19px;background-color:rgb(255,255,255)">Vitalie</span></div><div><br><br><div class="gmail_quote">2011/11/29 Fraser Redmond <span dir="ltr"><<a href="mailto:fraserredmond@gmail.com" target="_blank">fraserredmond@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">Thanks Randy... but I think either I don't understand you, or you don't understand me...<div>
<br></div><div>The password stored in the database has been hashed using mysql's ENCRYPT function with a seed (because it's not good security policy to store a password in any recoverable format.)</div>
<div><br></div><div>I think you're saying that the nonce is also a hashed version of the password that also can't be reverted back to the original password - is that right?</div><div><br></div><div>Which means that I now have two hashes which have been generated using different methods, so there's no way to compare them - cant compare within the cgi, and can't send the Freeswitch format back for Freeswitch to compare.</div>
<div><br></div><div>If that's the case (and I'd still like to be clear on that), is it possible to pass through the password in addition? (I'll be using https, so sending without hashing is ok.)</div><div>
<br clear="all">Cheers,<br><font color="#888888">Fraser</font><div><div></div><div><br><br><br>
<br><br><div class="gmail_quote">On 28 November 2011 23:59, Rendy <span dir="ltr"><<a href="mailto:rendyfrx@gmail.com" target="_blank">rendyfrx@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
Why don't you let your user authenticate using hashed password then in<br>
php you return the user xml with the hashed password that is stored.<br>
In that way, you will not have any issue. I don't think you can<br>
rebuild the original password as what hash function is meant to be one<br>
way only.<br>
<div><div><br>
<br>
On Tue, Nov 29, 2011 at 11:45 AM, Fraser Redmond<br>
<<a href="mailto:fraserredmond@gmail.com" target="_blank">fraserredmond@gmail.com</a>> wrote:<br>
> I am setting up a connection to a database of users, whose passwords have<br>
> been saved as a one-way hash.<br>
> That means that my xml_curl php/sql will need to perform the authentication,<br>
> and return a user without any password.<br>
> (According to Anthony, back in<br>
> 2008: <a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html" target="_blank">http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html</a> )<br>
> Only thing is I can't find any mention anywhere of how to re-generate the<br>
> user's password from the sip_auth variables in order to run it through my<br>
> one-way hash for comparison to the database.<br>
> It's got to be something to do with these:<br>
> sip_auth_nonce = 4d95dd9f-2247-474a-8496-aa7c08700fe7<br>
> sip_auth_cnonce = a088c6b6ba18d1387a45998b6bfa842d<br>
> sip_auth_nc = 0000000a<br>
> sip_auth_response = 9edefab216a46ed75f1ed1297dd9c9d3<br>
> Any ideas how to rebuild the original user's password?<br>
> Or is there a way to send the password through as part of the post? (maybe<br>
> using enable-post-var)<br>
> Cheers,<br>
> Fraser<br>
></div></div></blockquote></div></div></div></div>
<br></div></div><div class="im">_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></div></blockquote></div><br></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div></div>