Asterisk

How to use MD5 authentication on Asterisk SIP endpoints

Oton 42 Views

What are the advantages of using MD5 authentication when creating an endpoint in Asterisk?

The main advantage (perhaps the only one) is to make the endpoint passwords not visible in the CLI.

To continue, check if the MD5 module is already installed and loaded on your Asterisk.

Bash
asterisk -rx 'core show function MD5'

The above command should return information about MD5 in Asterisk.

Here is another way to check if the module is already loaded.

Bash
module show like func_md5.so

If everything is ok and the module is already loaded, you should see something like this:

Bash
Module                         Description                              Use Count  Status      Support Level
func_md5.so                    MD5 digest dialplan functions            0          Running              core
1 modules loaded

If for some reason the module is not yet loaded, you can load it with the following command:

Bash
asterisk -rx 'module load func_md5.so'

If the module still does not appear as loaded, you will need to recompile Asterisk and select the MD5 option in the “make menuselect”.

Now that we have the module installed and loaded in Asterisk, we need to understand how to generate the MD5 hash.

To generate the hash, you will need these three pieces of information:

  • username (endpoint user)
  • password (endpoint password)
  • realm (default is “asterisk”)

You can get the realm using these commands for SIP or for PJSIP.

Bash
asterisk -rx "pjsip show settings" | grep "realm"
asterisk -rx "sip show settings" | grep "realm"

Now that we have the module running and the necessary information, let’s move on to creating the hash.

The hash can be created based on this structure (username:realm:secret).

Remember to substitute for the actual data of your structure.

Bash
echo -n "2001:asterisk:123456" | md5sum

The result will be a string with this format: 2e40add36ae0d26b72cdc4003f3f7148

Now in the “/etc/asterisk/pjsip.conf” file, locate the endpoint authentication settings and change them to look like this:

Bash
[auth2001]
type=auth
auth_type=md5
username=2001
md5_cred=2220963c4b5d243ea8d5471b7a767d2a

After making the changes, reload the PJSIP settings.

Bash
asterisk -rx "pjsip reload"

Here is the difference between userpass and MD5 authentication method.

asterisk -rx "pjsip show auth auth2001"

Output with userpass method:

Output with MD5 method:

Regarding endpoints (softphone, gateway, etc.) no changes will be necessary, as the password for these devices remains the same.

What we changed here was just the way they are displayed in the Asterisk CLI.

I hope I have contributed!

Leave a Reply

Your email address will not be published. Required fields are marked *