Change Passwords on 2.9.0.7

I have recently attempted to change my passwords on FreePBX 2.9.0.7.

Firstly, you may wish to change the root password from time to time. To do this:

su to (or login as) root
Type “passwd” (without quotes)

It will then prompt you to type your new pass, and then to confirm it.

As for FreePBX itself… well,

It’s a while since I last did this, but the first thing I notice is that a google search comes up with these threads:

http://www.freepbx.org/support/documentation/faq/changing-the-asterisk-manager-password

and

http://www.freepbx.org/support/documentation/faq/changing-the-mysql-password

Be warned these are now both seriously out of date. I think it would be useful if a FreePBX staff member updated them.

I have discovered that FreePBX 2.9.0.7 does things rather differently. For a start you are no longer supposed to go hacking into the /etc/amportal.conf file. The passwords for the FOP (Flash Operator Panel) and User Portal Admin, are all now contained within the “Advanced Settings” page:

http://yourdomain/admin/config.php?type=tool&display=advancedsettings

Unfortunately this page does not seem to include the settings for the Asterisk Manager Username and Password. This is still hard-wired into /etc/asterisk/manager.conf. But before you go changing anything in there, I discovered that changing the corresponding entries in the /etc/amportal.conf file (AMPMGRPASS=your_manager_password & AMPMGRUSER=your_manager_user [default: admin]) seems to have no effect at all!

If you change the password in /etc/asterisk/manager.conf then the “Update Configuration Changes” process will fail when trying to run var/lib/asterisk/bin/retrieve_conf.

Now, this php routine calls a new file called /etc/freepbx.conf and lo-and-behold this now contains the MySQL DB passwords, formerly controlled by amportal.conf.

<?php $amp_conf['AMPDBUSER'] = "freepbx"; (normally the default) $amp_conf['AMPDBPASS'] = "your_DB_Password"; $amp_conf['AMPDBHOST'] = "localhost"; $amp_conf['AMPDBNAME'] = "asterisk"; $amp_conf['AMPDBENGINE'] = "mysql"; $amp_conf['datasource'] = ""; require_once('/var/www/html/admin/bootstrap.php'); So, evidently the /etc/freepbx.conf file is the new location in which to change your main mysql DB passwords. Alas, there is still no sign of the corresponding Manager Passwords to match the changes made in /etc/asterisk/manager.conf. If anyone can advise how to do this, please reply here! :-) However, the good news is this is where you will need to change the main password for your FreePBX login. Having done this, you will also need to change the password under MySQL for the user 'freepbx'. The most successful method for me, (ahem... well actually the *only* successful method for me), was as follows. su or logon to the CLI command prompt as root, then type: [root@xyz]# mysql -u root You will then be taken to the mysql console. At the mysql prompt, type the following: mysql> SET PASSWORD FOR freepbx@localhost=PASSWORD('new_password'); ...where 'new_password' is your choice. Don't forget the capitalisation and you will *need to keep the single quotes* inside the brackets! If the command is successful, mysql will respond with: Query OK, 0 rows affected (0.00 sec) mysql> To exit the mysql console type 'quit' (this time without the quotes) to be returned to the CLI. To test the password has been successfully changed, type the following at the CLI: [root@xyz]# mysql -u freepbx -p You will then be prompted for the password you just entered. If you enter it successfully, you will be taken back to the mysql console prompt: mysql> Type 'quit' again to exit back to the CLI. Having changed your MySQL password in both the mysql console and the /etc/freepbx.conf file, you will need to modify one further file: edit /etc/asterisk/cdr_mysql.conf as follows: [global] hostname = localhost dbname=asteriskcdrdb password = new_password <------ user = freepbx userfield=1 ;port=3306 ;sock=/tmp/mysql.sock Having completed all the changes then at the CLI type: [root@xyz]# amportal restart ...and cross your fingers. Hope this helps someone. :-)

That file has nothing to do with the Admin user.

To change the admin user created during install simply use the tools/administrators to change password and privileges for the logins.

This information is seriously flawed, do not edit the freePBX or amportal.conf files under any circumstances.

The proper was to change the manager password is to use the following procedure:

Go to Advanced settings module and make sure you have display hidden settings, readonly settings and override readonly setting set to true. Apply your config settings.

Now you will see the Asterisk Manager and many other password setting show up.

Change the asterisk manager password, and save. You can apply settings, your FreePBX will now show “can’t connect to manager” or some other similar failure.

Now edit /etc/asterisk/manager.conf and change the password to match. Save the file and run an amportal restart and all will be working again.

Aha… the elusive manager password location! Many thanks for this. I have now successfully changed it. :slight_smile:

I do apologise if my post was misleading - although I did say not to poke around the amportal.conf file any more. I might be missing something, however I still see no reference to the contents of the /etc/freepbx.conf file in the “Advanced Settings”, (freepbx mysql password). The only “other passwords” I can see are for the FOP and User portal, which show up anyway - whether or not the “hidden/readonly/override” settings are set to ‘TRUE’.

Can you confirm if the sequence I outlined to change the mysql password is valid or not? This password also seems to set the FreePBX web admin login - so it’s an important one to manage.

Many thanks

MySQL only accepts connections from Localhost. I do not see a reason nor advise it be changes.

I am not sure what you are saying as far as "contents of /etc/freepbx.conf file visible. The Asterisk Manager username and password is the first set of fields in advanced settings.

Yes, and many thanks for explaining how to access the settings for the manager username and password in the ‘Advanced Settings’.

You had said in your earlier post:

[quote]Go to Advanced settings module and make sure you have display hidden settings, readonly settings and override readonly setting set to true. Apply your config settings.

Now you will see the Asterisk Manager and many other password setting show up.[/quote]

So my reply was that the only other passwords (apart from the manager) that I could see showing up were for the FOP and User Portal, which show up anyway.

Regarding the contents of the freepbx.conf file, I had listed these in my original post, but for clarity I will repeat them here:

$amp_conf['AMPDBUSER'] = "freepbx"; (normally the default) $amp_conf['AMPDBPASS'] = "your_DB_Password"; $amp_conf['AMPDBHOST'] = "localhost"; $amp_conf['AMPDBNAME'] = "asterisk"; $amp_conf['AMPDBENGINE'] = "mysql"; $amp_conf['datasource'] = ""; require_once('/var/www/html/admin/bootstrap.php');

I’m querying the procedure to change the mysql password, ‘AMPDBPASS’ or to use a different user apart from the default “freepbx”. These are not the same as the Manager password and username which appear as the first group of the ‘Advanced Settings’ and also in the file: /etc/asterisk/manager.conf. But (as far as I can tell) they are necessary to edit in order to change the default login for the FreePBX Web Administration interface… [I]unless you know of another way which does not require editing the /etc/freepbx.conf file.[/I]

But in reply to your query about the connection to ‘localhost’ as a separate issue, yes there may also be a reason to change localhost to another domain if mysql is hosted elsewhere in a network environment. [I]I’m not saying it’s recommended of course, but it’s perfectly possible some administrator may want to do it this way.[/I]

You are absolutely right. I hate to admit it but most of our user have no clue how MySQL works. We have not provided an easy path to reconfigure the MySQL. In fact you will find that all sorts of sh** breaks when you change it (such as the ARI and reports). This code keeps getting improved with every release.

The bottom line is if someone knows how to setup MySQL on another server they will be able to figure it out. Personally I have not had a chance to see what has moved to the freepbx.conf file, only so many hours in the day.

It’s just that regardless of what super-dooper-admins may want to do, the “ordinary user” (if there is such a creature) will reasonably want to change their login password and/or username to the freepbx web admin interface.

I think this is a feature which should also be included in “advanced settings”, but in its absence - then the only way of changing this password seems to be as I described at the head of this thread. This requires editing the /etc/freepbx.conf and /etc/asterisk/cdr_mysql.conf files and using the mysql console to change the password for the freepbx user. (I haven’t tried changing the username from the default as 'ere be dragons.)

I must be blind or I can’t see the ‘wood for the trees’.

I can see no “administrators” setting under the “tools” menu.

Where should I be looking?

Thanks,

Andy

Sorry it’s not under tools. Look in Setup/Basic it’s the 6th option from the top.

Oh that Administrator settings… (I knew that… honest.)

Problem with that page is… it’s blank. It allows me (as the default freepbx administrator) to add more administrators, give them passwords and grant them privileges - but I cannot modify the password (or username) for the default ‘freepbx’ administrator in there.

So, if you take a vanilla flavoured installation of FreePBX fresh ‘out of the box’, I believe it will still come complete with user ‘freepbx’ and password “amp111”, which is a big security risk.

Since this is not displayed in the administrator’s panel, how else can we change the password apart from editing the two files I mentioned and changing the mysql password in the mysql console? It would be nice if we could change the default super-admin username from ‘freepbx’ too - but as I said earlier I daren’t try it myself for 'ere be dragons!

You are very confused.

The Asterisk Manager Interface is what the freepbx and amp111 password is for. You can’t login to the Web Interface with that password. FreePBX uses the AMI user to communicate with Asterisk.

The AMI user is defined in /etc/asterisk/manager.conf and must match what is in the advanced settings module.

If you want to be super secure change the netmask on the manager user to only allow the localhost.

Yes, I admit I’m slightly more confused now than I was when I started… :eek:

I’ve just tested this, and when I change the password for the Asterisk Manager in the Advanced Settings, it does not change the password for the FreePBX web admin login. Also the Asterisk Manager username default is “admin”, whereas the FreePBX web admin login is “freepbx”.

I am reasonably certain, therefore, that the only way to change this is by editing the contents of the /etc/freepbx.conf file: <?php $amp_conf['AMPDBUSER'] = "freepbx"; $amp_conf['AMPDBPASS'] = "your_DB_Password"; <------ $amp_conf['AMPDBHOST'] = "localhost"; $amp_conf['AMPDBNAME'] = "asterisk"; $amp_conf['AMPDBENGINE'] = "mysql"; $amp_conf['datasource'] = ""; require_once('/var/www/html/admin/bootstrap.php'); …and then to change the /etc/asterisk/cdr_mysql.conf file: [global] hostname = localhost dbname=asteriskcdrdb password = your_DB_Password <------- user = freepbx userfield=1 ;port=3306 ;sock=/tmp/mysql.sock

…and finally to enter the mysql console and change the password for user ‘freepbx’ as outlined in my earlier post.

AMPDBUSER is the MySQL username that FreePBX uses.

etc/asterisk/cdr_mysql.conf contains the MySQL credential the Asterisk SQL CDR engine uses.

The Advanced Settings modules Does Not provide a facility to change the MySQL credentials for FreePBX.

The fields under Asterisk Manager in Advanced Settings sets the credentials that FreePBX will use to access the Asterisk Manager Interface.

The “Administrators” module controls access to the FreePBX web interface if authmode is set to “database”

Does this help at all?

I think we might be getting there - although sloooooooowly.

That little nugget of information points back to a setting “Authorization Type” in the “Advanced Settings” menu under the section title; “System Setup”. The available Options are: “database” “none” “webserver”.

To quote the hint: (underscore mine)

[quote]Authentication type to use for web admin. If type set to database, the primary AMP admin credentials will be the AMPDBUSER/AMPDBPASS above. When using database you can create users that are restricted to only certain module pages. When set to none, you should make sure you have provided security at the apache level. When set to webserver, FreePBX will expect authentication to happen at the apache level, but will take the user credentials and apply any restrictions as if it were in database mode.

Default Value: database
Internal Name: AUTHTYPE[/quote]

Note the word “above” which implies the AMPDBUSER/AMPDBPASS settings are also in here. Unfortunately they are definately not “above” - at least not in my version 2.9.0.7. So we must conclude then that until it is included, (perhaps in a future update??), then the only current way of setting, “the primary AMP admin credentials … AMPDBUSER/AMPDBPASS”, is to edit the files in the manner I mentioned in my earlier post.

In searching up info on the AuthDB setting, I also note the following thread “Beware: Backdoors to FreePBX”, (dated April 2011), which may affect users of older systems where, (to quote p_lindheimer), “the default install newinstall.sql file … is often used to create new systems and … there is a left over admin/admin for user and password.”

http://pbxinaflash.com/forum/archive/index.php?t-10081.html

This issue seems to apply to older installations (which may or may not have been upgraded) where authmode is set to “Database”. But it could, in principle, affect any FreePBX user.

If anyone is unsure if the issue affects them, it is probably just as well to check for themselves by logging out of the FreePBX web admin and trying to log back in using the credentials admin/admin.