[Freeswitch-users] xml_curl directory - doing authentication in cgi, how to recreate user's password?

Rendy rendyfrx at gmail.com
Wed Nov 30 05:29:18 MSK 2011


Hi Fraser,
As pointed out in the link from Vitalie, you can use Basic type, not
a1-hash, so there is no hashing by Freeswitch.
However, if you cannot rehash user password input to the same like in
your DB, then you will need to get Freeswitch to send over the
password to your php.
Anyway, I would like to know also how to get Freeswitch to send over
the password and return XML format respectively.



On Wed, Nov 30, 2011 at 8:33 AM, Fraser Redmond <fraserredmond at gmail.com> wrote:
> Thanks Rendy, but they're hashed differently, so I can't return the hash
> from the database, as it wouldn't match with the hash generated by
> Freeswitch.
> It really looks like I need to get Freeswitch to send the original password
> string to the cgi/application.
> Cheers,
> Fraser
>
>
>
>
> On 29 November 2011 19:26, Rendy <rendyfrx at gmail.com> wrote:
>>
>> Hi Fraser,
>> What I mean is like this, when user trying to authenticate says via
>> your application, can you hashed the password in the same manner
>> before sending to Freeswitch (says MD5)? If yes, then in your php, you
>> should return the XML with hashed user password that you retrieve from
>> DB and let Freeswitch compare for you. You do not need to compare
>> yourself.
>>
>> Hope I understand your problem correctly and this can solved it :)
>>
>>
>> On Wed, Nov 30, 2011 at 12:19 AM, Fraser Redmond
>> <fraserredmond at gmail.com> wrote:
>> > Thanks Randy... but I think either I don't understand you, or you don't
>> > understand me...
>> >
>> > The password stored in the database has been hashed using mysql's
>> > ENCRYPT
>> > function with a seed (because it's not good security policy to store a
>> > password in any recoverable format.)
>> >
>> > I think you're saying that the nonce is also a hashed version of the
>> > password that also can't be reverted back to the original password - is
>> > that
>> > right?
>> >
>> > Which means that I now have two hashes which have been generated using
>> > different methods, so there's no way to compare them - cant compare
>> > within
>> > the cgi, and can't send the Freeswitch format back for Freeswitch to
>> > compare.
>> >
>> > If that's the case (and I'd still like to be clear on that), is it
>> > possible
>> > to pass through the password in addition? (I'll be using https, so
>> > sending
>> > without hashing is ok.)
>> >
>> > Cheers,
>> > Fraser
>> >
>> >
>> >
>> >
>> >
>> > On 28 November 2011 23:59, Rendy <rendyfrx at gmail.com> wrote:
>> >>
>> >> Hi,
>> >> Why don't you let your user authenticate using hashed password then in
>> >> php you return the user xml with the hashed password that is stored.
>> >> In that way, you will not have any issue. I don't think you can
>> >> rebuild the original password as what hash function is meant to be one
>> >> way only.
>> >>
>> >>
>> >> On Tue, Nov 29, 2011 at 11:45 AM, Fraser Redmond
>> >> <fraserredmond at gmail.com> wrote:
>> >> > I am setting up a connection to a database of users, whose passwords
>> >> > have
>> >> > been saved as a one-way hash.
>> >> > That means that my xml_curl php/sql will need to perform the
>> >> > authentication,
>> >> > and return a user without any password.
>> >> > (According to Anthony, back in
>> >> >
>> >> >
>> >> > 2008: http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html )
>> >> > Only thing is I can't find any mention anywhere of how to re-generate
>> >> > the
>> >> > user's password from the sip_auth variables in order to run it
>> >> > through
>> >> > my
>> >> > one-way hash for comparison to the database.
>> >> > It's got to be something to do with these:
>> >> > sip_auth_nonce = 4d95dd9f-2247-474a-8496-aa7c08700fe7
>> >> > sip_auth_cnonce = a088c6b6ba18d1387a45998b6bfa842d
>> >> > sip_auth_nc = 0000000a
>> >> > sip_auth_response = 9edefab216a46ed75f1ed1297dd9c9d3
>> >> > Any ideas how to rebuild the original user's password?
>> >> > Or is there a way to send the password through as part of the post?
>> >> > (maybe
>> >> > using enable-post-var)
>> >> > Cheers,
>> >> > Fraser
>> >> >
>> >
>> >
>> >
>> > _________________________________________________________________________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org
>> > http://www.freeswitchsolutions.com
>> >
>> > 
>> > 
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://wiki.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>



Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list