How to change default Asterisk Manager password and default username/password for accessing the FreePBX portal

Brand new installation of FreePBX/AsteriskNOW v.1.5.0 32-bit, downloaded from http://dl.digium.com/load_balance.php?q=AsteriskNOW-1.5.0-i386-1of1.iso
FreePBX v2.5.2.2
CentOS 5.3 (Final)

The web GUI shows error “Default Asterisk Manager password used”.
I found this thread: http://www.freepbx.org/support/documentation/faq/changing-the-asterisk-manager-password
However, the procedure described there is outdated, because it only applies if the authentication is stored in files etc/amportal.conf and etc/asterisk/manager.conf , while the FreePBX v.2.5 stores the authentication in the database. Extract of amportal.conf:

AUTHTYPE: authentication type to use for web admin

If type set to ‘database’, the primary AMP admin credentials will be the AMPDBUSER/AMPDBPASS above

valid: none, database

AUTHTYPE=database

What is the proper way to change the default Asterisk Manager password in this case?

Nobody knows answer to this?

Help, anybody? Or everyone is using the default password?

The default manager password is located in the /etc/asterisk/manager.conf file:

[admin]
secret = amp111
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0

The first part [admin] is the user name, secret is the password.

Notice the two important lines:
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0

That means that only localhost can authenticate with this user name/password. So no problem using it.

If you change it, you need to change at at least two places, first in manager.conf then in /etc/amportal.conf

AMPMGRUSER: the user to access the Asterisk manager interface

AMPMGRUSER=admin

AMPMGRPASS: the password for AMPMGRUSER

AMPMGRPASS=amp111

Make sure that both file changes match.
Then you need to do an amportal stop followed by an amportal start.

Before you even try to mess with the passwords, do make a copy of all file BEFORE you change them.

Thank you Mikael, however this procedure does not apply to FreePBX 2.5, because it does not store the password in these files. In 2.5 the password is stored in the database (see my description in the beginning of this thread). I am looking for proper way to update the default Asterisk password when it is stored in the database.

Well, you did not read my answer correctly.

Asterisk Manager password is NOT stored in a database. It is located exactly as I pointed out in my reply.

The user admin however, for accessing the FreePBX portal, is stored in a database together with the password. You change that in the section Administrators in FreePBX setup.

I got it (finally : ) . The warning refers to Default Asterisk Manager password, which has nothing to do with the default username/password for accessing the FreePBX portal.
Anyway, I followed the above procedure and the warning disappeared (thank you Mikael). Sure enough, this had no impact on the default username/password for accessing the FreePBX portal - it still works (freepbx/fpbx). Anyone knows how to change this password or disable this account?

Or everyone here keeps the system unsecured?

I always locate servers I am installing in a DMZ and protect them with a firewall.

The Asterisk manager is setup to only allow connections from the local LAN and SQL only accepts connections from local host.

A phone system IMHO should never be directly connected to the Internet.

Here’s the problem which I don’t think the developers have taken into account.

Yes the passwords are located in the amportal.conf and manager.conf however they also exist hard coded in the Admin files /var/www/html/admin/functions.inc.php, /var/www/html/admin/modules/framework/htdocs/admin/functions.inc.php, and /var/www/html/admin/modules/core/agi-bin/user_login_out.agi so you need to change them there as well otherwise the freepbx admin interface fails to logon using the manager.conf password.

*** BIG CAVEAT here *** if you upgrade your framework those AMPMGRPASS(s) will again go back to the default amp111 and you lose connection all over again.

Hey FreePBX developers please parse the manager.conf or amportal.conf to get the current passwords so the admin interface doesn’t fail after an upgrade.

Thanks,
Mike

msilveus,

I think you may be confused. There is a default set in /var/www/html/admin/functions.inc.php which is used if nothing exists in amportal.conf.

users_login_out.agi has it commented out. It obtains the user and password from the globals set in the current executing channel, and those are obtained from the same place as above.

The functions.inc.php from framework are irrelevant and the same as the above, that is simply the copy from the module that gets installed to the above location.

If you are finding hard copies elsewhere, then you either have an old version of FreePBX (probably pretty old) where this was an issue, or you need to file a ticket with the specific information so it can be tracked down. Checking the mentioned files in the latest releases, I don’t see it hard coded. It is parsed.

I am new to Asterisk and this forum, any assistance on the following items would be appreciated

I have just completed a new installation of AsteriekNOW 1.7.1. I launched my web browser to its IP address and attempted to connect to FreePBX Administration, but I do not know the default USER NAME or PASSWORD.

At the same time I would like the LocalHOST loggin credentials also.

Thanks ahead of time.

MIKE

Mike_D,

One of the keys to getting the most out of open source and the community is to respect the members that offer their time and read the documentation.

By asking a question that is in the third paragraph of the getting started guide is not respectful and in the end you will be frustrated.

http://www.asterisk.org/AsteriskNOW-1.5-QuickStart

When I refer to a DMZ I am not talking about consumer grade firewalls that use the term DMZ to indicate a host that all outside traffic is forwarded to.

When I refer to a server DMZ I am speaking of a protected VLAN that contains only devices that need to expose services to the untrusted network (typically the Internet). NAT is used to forward only required traffic to the hosts in the DMZ.

In the closed source world Cisco ASA’s and Juniper Netscreen devices have this capability.

pfSense can also create multiple security zones and is open source.

It seems that most firewalls (at least the cheaper ones) don’t allow me to enable a DMZ server without NAT. Are there any problems with using NAT to access the server? If so, can you recommend a firewall that allows you to specify a an IP for the DMZ server that is in the public domain (and not on the LAN)?

(Even DD-WRT appears to force NAT to the DMZ server. http://www.wachs.org/?q=node/18)

Thanks!