I have configured my Asterisk IAX and SIP users in a database and they are supposed to be authenticated by passwords which are md5 encrypted and stored in the realtime tables as well. I, however, noticed the user/password combinations are not verified by asterisk when the users place calls. The username alone is enough to get calls through the system and this is unsatisfactory for me since it is a potential security loop-hole.
Any pointers to what I am missing out? A flag I possibly have to switch to get the password authentication process active? I will be very grateful for any hints.