[asterisk-users] md5secret, secret and ha1b hash calculation?
Daniel Pocock
daniel at pocock.com.au
Thu Jun 6 04:18:41 CDT 2013
Kamailio has both a ha1 and ha1b column in it's user schema:
ha1 = H(A1) = MD5(user:realm:password)
ha1b = H(A1b) = MD5(user at realm:realm:password)
This is intended to support some devices that append @realm to the user
and/or to allow users to put either "user-part only" or "user at domain"
into the auth-user field of their UA.
Can anybody comment on the following:
- if secret is configured, and an auth header comes in with
auth_user="user at realm", does Asterisk internally make the H(A1b)
calculation instead of H(A1) from the secret it has for the user?
- if yes, does that mean it would be relatively easy to add an extra
parameter, md5secretb for example, that mimics ha1b and allows cleartext
secrets to be abolished?
- what has been observed in practice? Are there any devices actively
behaving like this or is it purely a legacy thing?
In repro, we decided to store both versions of every hash when a user is
added/updated, but only ha1 is consulted by the authentication code.
The ha1b is simply stored to avoid the hassle of resetting all passwords
if support for ha1b is completed in future.
Regards,
Daniel
More information about the asterisk-users
mailing list