> M. Ranganathan wrote: > > On Fri, Aug 7, 2009 at 3:54 PM, Damian > Krzeminski<[email protected]> wrote: > >> Dale Worley wrote: > >>> On Fri, 2009-08-07 at 11:38 -0400, M. Ranganathan wrote: > >>>> I would like to get some pointers on how I can access > the In Memory > >>>> Database that holds the SIP passwords of user accounts. > I need to > >>>> access the SIP passwords for the third party call controller. > >>> If you're using Java, I would say "Don't". > >>> (http://tinyurl.com/l7aftb) Since the credentials table > is generated > >>> by sipXconfig, you can pull the data out of the Postgres database > >>> using the same code that sipXconfig does. > >>> > >> I cannot stop anyone from reading SIPXCONFIG DB but I do not think > >> this is a good idea. > >> First of all "generating" credentials data is not the same > as reading > >> it from the DB. The other things is sipXconfig reserves > the rights > >> to change the database schema so you'd have to track the > changes and > >> adapt. And the third thing is that sipXconfig DB is only available > >> locally (you can change it but if you do you have to start > worry about securing it appropriately). > >> If reading IMDB from Java is really such a hassle sipXconfig can > >> produce credential data in other formats. > >> D. > >> > > > > After a little help on the specifics from Mardy, I > successfully issued > > a query to IMDB from sipx supervisor and get back records > that look > > like this : > > > > > > <member> > > > > > <name>uri</name><value><string>sip:[email protected]</string > > ></value> > > </member> > > <member> > > > > > <name>passtoken</name><value><string>808382d42c626541efc8eaf888be2875< > > /string></value> > > </member>\n<member> > > <name>realm</name> > > <value><string>sipxtest.sipxtest.net</string></value> > > </member> > > <member> > > <name>authtype</name><value><string>DIGEST</string></value> > > </member> > > > > > > I assume here that the passtoken is the password which has been > > encoded. To save me some digging time, can somebody let me > know how is > > this password is encoded? Can one extract the plain text > password from > > this? > > > > It's HA1: > > HA1 = MD5(A1) = MD5(username:realm:password) > > (you can also check in org.sipfoundry.sipxconfig.common.MD5Encoder) > > You cannot extract clear text password from that. But you > should not need them for anything (since clear text passwords > should be only used to produce HA1 for sipXecs realm anyway). > D.
My 10,000 feet understanding is that MD5(username:realm:password) is one of the ingredients that goes into the challenge formula. You can plug in the hash value directly in the formula along with the rest of the ingredients to generate the challenge response. In other words, if you somehow were able to get the SIP password in cleartext, you would end up calculating MD5(username:realm:SIP password) while computing the challenge response. That quantity is already given to you by the API you describe above, so you do not need the cleartext password to calculate it. _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
