Unable to locate AUTHTYPE in advanced settings

maint was trixbox, admin is something else.

SkyKing, dicko, et al

First, a very very big “THANK YOU” for taking the time to stay with the thread and follow my issues, and make thoughtful and meaningful suggestions. Very much appreciated.

Now for some specifics to address the above (I took some time to sleep):

  • Skyking: sorry about the slider reference. I STARTED with FPBX 2.9, but upgraded to 2.10, while STILL in AUTHTYPE=none mode. The 2.10 interface came up, and occasionally the password challenge would appear, I used “maint” username and master password I chose, and would get in. I then changed to AUTHTYPE = database after folks said it would be ok, warning disappeared on “admin” module page, and I added accounts.

  • dicko: Since I was already “logged in” to admin, a new password challenge never popped up on computer I was working from (I think when that mode is changed, proper security procedure would require new login, but that is a smal point). But I thought I would try out new accounts via iPad, so in case mode change left me locked out, I would be able to reset via computer interface that still allowed me to admin.

Sure enough, NONE of the accounts I set up had access to FPBX GUI on iPad. An odd sideeffect that was occurring is after a few bad password attempts, the GUI would stop responding, both on iPAD and computer, and I had to reboot the instance (I’m running this on a cloud infrastructure). Finally, I got tired enough and went to sleep and figured Id deal with it all in morning.

This morning, when I went to computer GUI (which is STILL logged in), the interface responded. Then, I went to iPad, and tried a few of the accounts I set up and NOW the accounts were allowed to login with credentials I set up.

SO, net-net summary of my long saga is things appear to be working now, but not without a bit of “weirdness”.

I personally think there are too many password “modes” (AMPDBUSER, AMPMGR, etc), and too many different configuration options than are really necessary, which lead to issues like this, which often I use as an excuse to not stray too far from defaults, as I don’t believe all the possible combinations have been fully tested (or perhaps I am just doing something odd, or stupid with combination settings but I dont think so, as I leave all suggested “DONT CHANGE THIS” options alone, and only change the ones suggested.

At any rate, I hope my experience has provided some useful insight to FreePBX community / developers so as the product evolves and improves, perhaps the next area to “simplify” would be the admin components.

Thanks again for everyones help.

You were locked out because the intrusion detection system saw the bad password attempts. You can manage that from the sysadmin module.

As far as all of the different accounts. FreePBX has to communicate with the components via APS’s that require authentication.

MySQL (AMPBDBUSER) - Data Store
AMPMGR - Asterisk API

and lastly user accounts.

Skyking

I had thought about that, but I wasn’t able to even ssh to box, which would (or at least to me “should”) not have been effected by freepbx authentication. Rebooting seemed to solve it but then it occurred again, so had thought some runway process was sucking things down… Was too tired and now everything works.

But as for all the communication for password changes, I would have hoped that modules responsible would do all the “right things” synchronously ( ie communicate change, wait for ack, check, etc), but from sounds of it, seems like password changing may have a bit of async aspects to it, or perhaps I’m not understanding the process

Thanks

The intrusion detection uses IP tables and bans the source IP. That would block all services, not just port 80

Interesting.

Funny you should mention that… just tried to login to freepbx gui via iPhone and sure enough up popped some
"Login required" box, and I tried every username password combo I have: root, maint, freepbx admin accts… Nothing worked and of course now I’m locked out for a while based on ip ban.

What IS that pop up challenge? System? Freepbx ? Which username password is required for that?

Thanks

I would from bash:-

iptables --flush

#to stop iptables

updatedb
locate .htaccess

#to make sure no-one has slipped something into /var/www/html/admin or /var/ww/html/ itself.

#then add a new user with (one-line):-

mysql -pcat /etc/amportal.conf |grep -r "^AMPDBPASS"|cut -d "=" -f2 -ucat /etc/amportal.conf |grep -r "^AMPDBUSER"|cut -d "=" -f2 -D asterisk -e “INSERT INTO ampusers (username, password_sha1, sections) VALUES (‘dicko’, ‘echo -n "mypassword"|sha1sum|cut -d " " -f1’, ‘*’)”

then login to your server :-

http://ipaddress/admin/index.php

using dicko/mypassword

You never know, it might work for you. IWFM on versions of FreePBX from at least 2.4 throught 2.10 and in all distros I have yet encountered, but a caveate, I only use “open source” software, or at least it would need an underlying GNU license:-)

Thinking about a few recalcitrant migrations in the past, sometimes the user and pasword in amportal.conf are just wrong, use your current root mysql account creds. if so.

Then check your “sysadmin” (I believe) module for “inelegances” and your admin/administrators module for inaccuracies.

OP is almost certainly using PIAF which uses different security model (apache) than FreePBX distro.

with my method, I don’t believe that would matter, been there, done that. I personally distribute FreePBX/Asterisk under Debian Squeeze and apache2, it works there too but yes you can move the normal .htaccess restictions into the httpd/apache2 conf files, I havn’t PIAF’ed in a while though.

Were the FreePBX distro truly open-source in toto, I might be tempted to install it :slight_smile:

I post here under the www.freepbx.org banner with full deference to Phillippe and all that went before, not so much to Schmooze the “proud sponsors” , yes I know we all need to make a buck, and they probably give the trueist to FreePBX distro out there (go figure why :slight_smile: ) I am getting a little uncomfortable though as to where FreePBX is going (being told to go).

Bootsrapping open source FreePBX and Asterisk and usually Centos into a locked-in .iso wiyh added value (and added cost) aditions that you “just have to believe in” has over the last few years caused a few distro’s to disappear and left others in a very perilous place, worse is that it has left many poor implimentors out in the cold.

I truly hope I am wrong.

JM2CWAE

This whole authentication strategy I think needs to be simplified and / or rethought in general, as there are too many initial config thing that can leave one in a funny state:

Few things;

  • at moment, no user / password I have set has cmdline access to mysql. not sure why that is or more importantly, how I will get in but I will figure that out.

  • more importantly, when I try to access the menu.php?id=admin page, I’m still getting a popup challange: “authentication required”, which accepts the old “maint” user and password I set.

  • After successfully passing that challenge, I’m then dropped onto FreePBX page, only to be looking a “username / password” challenge AGAIN. This time the accounts I entered in the admin panel work. So somewhere, one of the AMPORTAL conf files/DB/secret thing wasn’t told to disregard initial pop up challenge (where is that generated by the way?), and go directly to admin challenge page.

If anyone has thoughts on if my files are in a whacky state, or something went awry during 2.9->2.10 FreePBX upgrade, or some other thought on this, I’m all ears.

Thanks again

Several comments, and I am in pure OP mode here:

1 - Dicko, take the philosophy on the distro and FreePBX to another thread

2 - rotorboy, we can’t control what happens in the other distro’s however FreePBX simplified the authentication in 2.10 by making database the default. If you lock yourself out just use the 'amportal admin auth_none" command to lock you into no authentication mode. Go create a user then go into advanced settings and set the authtype back to DB and reload

This insert into MySQL process is highly convoluted, other than showing dicko’s skills at MySQL doesn’t accomplish anything.

Skyking

Actually the MySQL stuff was pretty straight forward, but what was most impressive was the in-line BASH scripting for text string extraction and insertion in one line! Very nice.

I understand the distro problem, and foolish stupidity on my part for not ensuring I started from latest, though I guess anyone going from 2.9 to 2.10 may run into this legacy issue. The “lock out” issue I had mentioned was being locked out of accessing MySQL from root account. I can get into MySQL using one of the accounts created in admin module (e.g. “admin”), but they can only see two database (information_schema and test), even though they have full access, which makes me wonder what is going.

But there is one 2.9/authtype legacy issue that seems to be persisting, and that is when I first go to admin screen URL now (using chrome), I get logged in as “asteriskuser”, even though no such account is visible in “admin” module. Apparently not only does chrome autologin for me, but what is strange is that “asteriskuser” must still be in MySQL DB and/or config file as it is not only recognized, but login with “asteriskuser” works.

A quick check of amportal.conf has the following:

Authorization Type

Default Value: database

AUTHTYPE=database

— CATEGORY: Bootstrapped or Legacy Settings —

AMPDBUSER=asteriskuser

AMPDBPASS=amp109

Am I stuck in some sort of “dual access” mode? should I comment out/ remove these settings now that I’m on 2.10? Do I even need an AMPDBUSER entry in amportal.conf? Shouldn’t the upgrade to 2.10 have “wiped” and rewritten it? Any thoughts as always appreciated.

Thanks again

PS. If you are “skyking” in deference to original “skyking”, perhaps when you are in NYC I can take you on copter “city tour”

skyking;

should also be noted I dont see anywhere in “advanced settings” with “show read only” true, where to set/change AMPDBUSER / AMPDBPASS values.

Im either missing it, or something is up.

Thanks

MySQL has it’s own root account, I am still not sure on the lineage of your system so not sure what to tell you. The bottom line is you need to log on to MySQL with full Prius and use the’grant access to’ command to authorize the account referenced in etc/asterisk/freepbx.conf

Am portal.conf is written bytes the system and should not be edited.

The freepbx author method authenticates within the freepbx web interface. If you use http to secure the web path you will be authenticated prior to FreePBX loading?

Does this make sense?

understood about MySQL, and lineage is PIAF “purple” release, on CentOS 6.2, if that provides any clue.

I also understand that amportal.conf is written by the scripts that drive the GUI.

Unfortunately, I cant find anywhere under “Advanced settings” to change the “default” asteriskuser" account with the default “amp109” password, which can still access the GUI.

What am I missing? Do I need to “force upgrade” Freepbx framework again?

Thanks

In your third post you said, display read only solved this issue. I thought we were talking about the MySQL account not the AMI user?

I may have spoken imprecisely. allow me to rephrase, with current status:

  • the MySQL account and access IS at issue, but not a primary one, as FreePBX can clearly access it as it needs, so not critical that I can access via a query browser

  • The primary issue for me right now is to be able to change AMPDBUSR / AMPDBPASS from the UI, so that in gets appropriately changed in /etc/amportal.conf. Of course I can edit by hand and “reread”, but would like to do via GUI for “consistency” sake. Those two values are NOT visible anywhere in advanced setting or elsewhere that I can think to look.

Sorry for the confusion, and thanks for continued help…

Ok, first, you can’t change amportal. The reason the DB password is external is because all the other variables are stored in the DB now. amportal.conf is only written out to maintain consistency for 3rd party apps that still use it.

Here is where the settings are in advanced settings. It has been their in every version:

I’m either very confused, misunderstanding something basic, or not explaining my issue well. Let me see if I can elucidate further:

I see the Asterisk Manager items you provided, but my understanding is that they don’t influence any FreePBX control, is that correct?

Currently, I’m able to use the username combo of “asteriskuser/amp109” to log into FreePBX GUI and perform any admin work. This is the default and clearly a security issue. Authtype IS set to “database”, but I DON’T see “asteriskuser” account in the admin module sidebar. Though AMPDBUSER/AMPDBPASS settings are referenced in “advanced settings” help bubbles, I don’t see anywhere they can be set in “advanced settings”. Perhaps they aren’t supposed to be going forward?

Unfortunately, I STILL have not been able to determine a MySQL user/pass combo that will let me view the “asterisk” DB and associated users table.

FreePBX is clearly seeing “asteriskuser/amp109” as a valid login, so it must either be stored in MySQL as a valid account (but NOT visible in the list), OR it’s getting it out of amportal.conf, which you mention is written out for legacy purposes. So how do I 1. disable asteriskuser for FreePBX access or 2. If not allowed to disable/remove “asteriskuser” account, how do I change the password to not be the default?

Hopefully this clears up any ambiguous aspects of where I’m at and the issue I’m facing.

Thanks again, and sorry to be obtuse…

You are confused, but this can be confusing material.

You can’t change the AMPDBUSER/PASSWD, that is used for MySQL from the GUI. That would create a race condition and lock you out. Those settings are stored in etc/asterisk/freepbx.conf and displayed in advanced settings as reference.

The asteriskuser/amp109 is no longer used as it was widely known. The new install script (install_amp) generates random credentials.

It sounds like you have the below setting on, this can be used for debug and allows you to login with db credentials:

Does this solve your mystery?