Kamailio has both a ha1 and ha1b column in it’s user schema:
ha1 = H(A1) = MD5(user:realm:password)
ha1b = H(A1b) = MD5(user@realm:realm:password)
This is intended to support some devices that append @realm to the user and/or to allow users to put either “user-part only” or “user@domain”
into the auth-user field of their UA.
Can anybody comment on the following:
– if secret is configured, and an auth header comes in with auth_user=”user@realm”, does Asterisk internally make the H(A1b)
calculation instead of H(A1) from the secret it has for the user?
– if yes, does that mean it would be relatively easy to add an extra parameter, md5secretb for example, that mimics ha1b and allows cleartext secrets to be abolished?
– what has been observed in practice? Are there any devices actively behaving like this or is it purely a legacy thing?
In repro, we decided to store both versions of every hash when a user is added/updated, but only ha1 is consulted by the authentication code. The ha1b is simply stored to avoid the hassle of resetting all passwords if support for ha1b is completed in future.