I am using pjsip with md5 auth for my phones.
example with random values:
[alice]
type = auth
username = alice
auth_type = md5
md5_cred = 700d85bf1a3cc76ee39e04d633575b9a
I create the hashes with md5(USERNAME:REALM:PASSWORD).
works perfect, no problems at all.
But today I noticed that I would like to understand how this works (and I am sorry if this is stupid question).
How can asterisk verify that? I mean, for my understanding asterisk has to do also something like md5(USERNAME:REALM:PASSWORD) to verify if the hash fits the registration submitted by a phone. But how can asterisk do that? As far as I know asterisk never sees the plaintext password because in typical registration dialogs it always comes combined with a nonce.
Thank you, I apreciate your fast reply.
I know that the md5_cred that I provide in my config is not the end hash. Still I don’t understand how this is done.
Phone sends a register, asterisk sends an “Unauthorized” with a nonce in the Authenticate header. Client responds with a “response” that contains the credentials (multiple) hashed together with the nonce. So everything that asterisk now has is the nonce, the response and the md5_cred. And since no one can get the password out of the response, I really would like to understand how asterisk now can tell that this is valid or not.
If the locally produced hash matches the one from the remote side, then they match and it is correct. So to be more specific, it’s not checking that the password alone is correct. It’s checking that everything involved in creation of the hash is correct - realm, username, password, SIP method used, URI