[Freeswitch-users] xml_curl directory - doing authentication in cgi, how to recreate user's password?

Fraser Redmond fraserredmond at gmail.com
Wed Nov 30 03:22:04 MSK 2011


Thanks Vitalie, you're right that would work.

Unfortunately, I'm dealing with an existing set of users, and resetting
everyone's passwords so as to hash them differently isn't going to be an
option.

I'm hoping that one of the freeswitch developers can make it possible to
access the original sip_auth_password value (or a param in the xml_curl
conf to tell it to send the password as plain text.)

Cheers,
Fraser




On 29 November 2011 19:03, Vitalie Colosov <vetali100 at gmail.com> wrote:

> My suggestion is based on the assumption that you can implement md5 hash
> method to store users credentials in the database. If so, then you can read
> further.
>
> When a user registers, Freeswitch is doing md5 on the following value -
> username:domain:password
>
> Domain can be hardcoded to any value in the internal profile:
>
>
> <param name="challenge-realm" value="some_domain"/>
>
>
> So, when a user will register, your xml_curl will need to respond with the
> value of a1-hash:
>
>
> <param name="a1-hash" value="c6440e5de50b403206989679159de89a (example!)"/>
>
>
> When you create a user 1001, which has password 12345, you will need to
> store in the database the md5 hash value of the following
> string: 1001:some_domain:12345
>
> In php you can do it by using - md5($user.":some_domain:".$password)
>
> Obviously, if you need to hash only the password (without user id and
> domain) than this approach will not work for you.
> However I don't see why you can't hash the whole string.
>
>
> Regards,
> Vitalie
>
>
>
>
> 2011/11/29 Fraser Redmond <fraserredmond at gmail.com>
>
>> Thanks Vitalie, but the problem is that I don't have the password to
>> concatenate into the string - I only have the result of a one-way hash.
>>
>> The equivalent would be I had a file and did an md5 hash on it, I now
>> have the md5 hash, but don't have the original file. Freeswitch is doing a
>> different type of hash on the password entered by the user into the phone,
>> and sending the result of that, and now I have the different results of the
>> two different algorithm's to compare, which will always be different, even
>> though they were both based on the same input (the password string.)
>>
>> So what I need is for Freeswitch to send the original password through
>> instead of only sending several different hashes of it.
>>
>> I tried sending sip_auth_password through using enable-post-var, but
>> it's not available - can that be added to the possible variables? (sip_auth_username
>> does work)
>>
>> Cheers,
>> Fraser
>>
>>
>>
>>
>>
>> On 29 November 2011 17:29, Vitalie Colosov <vetali100 at gmail.com> wrote:
>>
>>> This might solve your problem:
>>>
>>> http://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#a1-hash
>>>
>>> In short, you should hash not only the "password", but the concatenation
>>> of "username:domain:password"
>>>
>>> Then use xml_curl to return this hashed value and FS will do
>>> the authentication for you.
>>>
>>> Please let me know if this helps.
>>>
>>> Regards,
>>> Vitalie
>>>
>>>
>>> 2011/11/29 Fraser Redmond <fraserredmond at gmail.com>
>>>
>>>> Thanks Randy... but I think either I don't understand you, or you don't
>>>> understand me...
>>>>
>>>> The password stored in the database has been hashed using mysql's
>>>> ENCRYPT function with a seed (because it's not good security policy to
>>>> store a password in any recoverable format.)
>>>>
>>>> I think you're saying that the nonce is also a hashed version of the
>>>> password that also can't be reverted back to the original password - is
>>>> that right?
>>>>
>>>> Which means that I now have two hashes which have been generated using
>>>> different methods, so there's no way to compare them - cant compare within
>>>> the cgi, and can't send the Freeswitch format back for Freeswitch to
>>>> compare.
>>>>
>>>> If that's the case (and I'd still like to be clear on that), is it
>>>> possible to pass through the password in addition? (I'll be using https, so
>>>> sending without hashing is ok.)
>>>>
>>>> Cheers,
>>>> Fraser
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 28 November 2011 23:59, Rendy <rendyfrx at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>> Why don't you let your user authenticate using hashed password then in
>>>>> php you return the user xml with the hashed password that is stored.
>>>>> In that way, you will not have any issue. I don't think you can
>>>>> rebuild the original password as what hash function is meant to be one
>>>>> way only.
>>>>>
>>>>>
>>>>> On Tue, Nov 29, 2011 at 11:45 AM, Fraser Redmond
>>>>> <fraserredmond at gmail.com> wrote:
>>>>> > I am setting up a connection to a database of users, whose passwords
>>>>> have
>>>>> > been saved as a one-way hash.
>>>>> > That means that my xml_curl php/sql will need to perform the
>>>>> authentication,
>>>>> > and return a user without any password.
>>>>> > (According to Anthony, back in
>>>>> > 2008:
>>>>> http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html
>>>>>  )
>>>>> > Only thing is I can't find any mention anywhere of how to
>>>>> re-generate the
>>>>> > user's password from the sip_auth variables in order to run it
>>>>> through my
>>>>> > one-way hash for comparison to the database.
>>>>> > It's got to be something to do with these:
>>>>> > sip_auth_nonce = 4d95dd9f-2247-474a-8496-aa7c08700fe7
>>>>> > sip_auth_cnonce = a088c6b6ba18d1387a45998b6bfa842d
>>>>> > sip_auth_nc = 0000000a
>>>>> > sip_auth_response = 9edefab216a46ed75f1ed1297dd9c9d3
>>>>> > Any ideas how to rebuild the original user's password?
>>>>> > Or is there a way to send the password through as part of the post?
>>>>> (maybe
>>>>> > using enable-post-var)
>>>>> > Cheers,
>>>>> > Fraser
>>>>> >
>>>>>
>>>>
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111129/1ed496b8/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list