I understand the advantage of md5 hashing, its been the standard for years for day to day user auths. What we were discussing was the merits of the proposed public key scheme for this application, where the private key would always need to be available therefore not giving any real security.
Regards, -- Igor Hernandez Escape Communications http://www.escapetel.com BJ Weschke wrote: > Igor Hernandez wrote: >> I was thinking the same thing I believe Tzafrir just alluded to. If the >> passwords are encrypted in the DB with a public key then...asterisk >> needs to have the private key stored somewhere to be able to decrypt the >> values to authenticate the user. In this way there is nothing preventing >> whoever intrudes your boxes from getting that key and decrypting the >> values himself. >> >> I might be missing something though and if thats the case chime in, I'm >> interested in this issue. >> >> Regards, >> >> > > You are. md5secret simply stores the crypt hash. When it receives the > password attempt, it too, is crypted using MD5 algorithm and then the > two hashes are compared. Using MD5 crypt hash, there is no way to > "decrypt" the hash. It's a "brute force" methodology to get the password > back if you've lost it. > _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
