Igor Hernandez wrote: > I was thinking the same thing I believe Tzafrir just alluded to. If the > passwords are encrypted in the DB with a public key then...asterisk > needs to have the private key stored somewhere to be able to decrypt the > values to authenticate the user. In this way there is nothing preventing > whoever intrudes your boxes from getting that key and decrypting the > values himself. > > I might be missing something though and if thats the case chime in, I'm > interested in this issue. > > Regards, > >
You are. md5secret simply stores the crypt hash. When it receives the password attempt, it too, is crypted using MD5 algorithm and then the two hashes are compared. Using MD5 crypt hash, there is no way to "decrypt" the hash. It's a "brute force" methodology to get the password back if you've lost it. -- -- Bird's The Word Technologies, Inc. http://www.btwtech.com/ _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
