Also, I forgot to mention that the hshpstk field in Mongo contains the hashed value of the sip password. I quickly searched through the code but I don't see any use of that field
We always kept SIP password in clear text in postgres... Mircea On Tue, Jun 19, 2012 at 12:46 AM, Mircea Carasel <[email protected]> wrote: > > > On Tue, Jun 19, 2012 at 12:22 AM, Miguel Gonzalez < > [email protected]> wrote: > >> Since we upgraded SipXecs on Friday it appears that when you add new >> users or update an existing user, the pin token going into the users >> Postegres table is plain text. We have been able to reproduce this using >> both the sipxconfig users interface and the API's. It looks like the >> hashed value still ends up in IMDB in the hshpstk field, but the pntk >> fields for both IMDB Users and OpenACDAgents ends up as plain text. We >> have been fixing these manually in both Mongo and Postgres but were >> wondering if this is a known issue.**** >> >> ** ** >> >> Users who end up with a plain text pin token are not able to log into >> OpenACD until we manually fix them. >> > We recently separated pintoken from voicemail pin > pintoken now stands for user portal password and instant messaging > password, and OpenAcd password (the same password for all three) > pintoken is now saved in plain text format in both postgres and imdb > because we wanted to unify user password with instant messaging password > and open acd password, and therefore we couldn't keep a one-way hash > mechanism (openfire uses a two-way hash and keeps password key in plain > text, and we used to save IM password in plain text anyway) > > Still the voicemail pin is kept in a one-way hash of username:password > (see Md5Encoder.java) > The plan is to find a way to use a one-way hash mechanism that does not > include the realm for user portal, IM, open acd in 4.8 release. > > Another reason for this change was that, for example in previous sipxecs > releases we used a one-way hash of username:realm:password, and most users > had realm the same as domain name. Changing the domain name would result in > a user login failure > > I am not sure if OpenAcd code was aligned with this password strategy > change > > please see: http://track.sipfoundry.org/browse/XX-10165 > > Hope this helps > Mircea > >> **** >> >> ** ** >> >> Thanks for your help**** >> >> ** ** >> >> *Miguel Gonzalez ***** >> >> Programming Manager**** >> >> PATLive**** >> >> 1.800.775.7790 x743**** >> >> 1.800.398.0508 fax**** >> >> [email protected]**** >> >> **** >> >> Hosted Communications | Friendly Service www.patlive.com**** >> >> ** ** >> >> _______________________________________________ >> sipx-dev mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-dev/ >> > >
_______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev/
