Thanks for the reply Mircea, we are in the process of rebuilding sipxopenacd with a change to use hshpstk instead of pntk to login.
Hopefully hshpstk sticks around. :-) From: [email protected] [mailto:[email protected]] On Behalf Of Mircea Carasel Sent: Monday, June 18, 2012 5:59 PM To: sipXecs developer discussions Subject: Re: [sipx-dev] Plain text pintoken Also, I forgot to mention that the hshpstk field in Mongo contains the hashed value of the sip password. I quickly searched through the code but I don't see any use of that field We always kept SIP password in clear text in postgres... Mircea On Tue, Jun 19, 2012 at 12:46 AM, Mircea Carasel <[email protected]> wrote: On Tue, Jun 19, 2012 at 12:22 AM, Miguel Gonzalez <[email protected]> wrote: Since we upgraded SipXecs on Friday it appears that when you add new users or update an existing user, the pin token going into the users Postegres table is plain text. We have been able to reproduce this using both the sipxconfig users interface and the API's. It looks like the hashed value still ends up in IMDB in the hshpstk field, but the pntk fields for both IMDB Users and OpenACDAgents ends up as plain text. We have been fixing these manually in both Mongo and Postgres but were wondering if this is a known issue. Users who end up with a plain text pin token are not able to log into OpenACD until we manually fix them. We recently separated pintoken from voicemail pin pintoken now stands for user portal password and instant messaging password, and OpenAcd password (the same password for all three) pintoken is now saved in plain text format in both postgres and imdb because we wanted to unify user password with instant messaging password and open acd password, and therefore we couldn't keep a one-way hash mechanism (openfire uses a two-way hash and keeps password key in plain text, and we used to save IM password in plain text anyway) Still the voicemail pin is kept in a one-way hash of username:password (see Md5Encoder.java) The plan is to find a way to use a one-way hash mechanism that does not include the realm for user portal, IM, open acd in 4.8 release. Another reason for this change was that, for example in previous sipxecs releases we used a one-way hash of username:realm:password, and most users had realm the same as domain name. Changing the domain name would result in a user login failure I am not sure if OpenAcd code was aligned with this password strategy change please see: http://track.sipfoundry.org/browse/XX-10165 Hope this helps Mircea Thanks for your help Miguel Gonzalez Programming Manager PATLive 1.800.775.7790 x743 <tel:1.800.775.7790%20x743> 1.800.398.0508 fax [email protected] <mailto:[email protected]> Hosted Communications | Friendly Service www.patlive.com <http://www.patlive.com/> _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev/
_______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev/
