[asterisk-bugs] [JIRA] (ASTERISK-20677) Action Challenge not working with allowmultiplelogin=no

Matt Jordan (JIRA) noreply at issues.asterisk.org
Mon Nov 12 09:14:21 CST 2012 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-20677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=199556#comment-199556 ] 

Matt Jordan commented on ASTERISK-20677:
----------------------------------------

It appears as if the Challenge action wasn't implemented properly in this situation.  When performing a Challenge without being logged in, a {{UserName}} header must be supplied with the action:

{noformat}
Action: Challenge
UserName: foo
AuthType: MD5

Response: Success
Challenge: 1583744384
{noformat}

The contents of the {{UserName}} field are immaterial - so long as any character string is provided, a challenge will be sent back.  Otherwise, the "Login Already In Use" error will be kicked back.

In many ways, this makes a small amount of sense - allowing an unauthenticated connection to enumerate potential user accounts would be a security vulnerability.  That being said, at that point the UserName field is useless, so it shouldn't be a requirement for the command to be executed.


                
> Action Challenge not working with allowmultiplelogin=no
> -------------------------------------------------------
>
>                 Key: ASTERISK-20677
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20677
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/ManagerInterface
>    Affects Versions: 11.0.1
>         Environment: CentOS 5.8 i386, AMD Opteron 1214
> CentOS 5.8 x86_86, Intel Xeon E5-2620
>            Reporter: Vladimir
>
> With option {{allowmultiplelogin=no}} in manager.conf action Challenge not working. When I try connect to Manager Interface via telnet I've got these responses:
> {code} 
> [root at asterisk-test ~]# telnet 127.0.0.1 5038
> Trying 127.0.0.1...
> Connected to asterisk-test.company.tld (127.0.0.1).
> Escape character is '^]'.
> Asterisk Call Manager/1.3
> Action: Challenge
> AuthType: MD5
> Response: Error
> Message: Login Already In Use
> Connection closed by foreign host.
> {code} 
> or periodically
> {code} 
> [root at asterisk-test ~]# telnet 127.0.0.1 5038
> Trying 127.0.0.1...
> Connected to asterisk-test.company.tld (127.0.0.1).
> Escape character is '^]'.
> Asterisk Call Manager/1.3
> Action: Challendge
> AuthType: MD5
> Response: Error
> Message: Permission denied
> Connection closed by foreign host.
> {code} 
> No users connected to manager at this time:
> {code} 
> [root at asterisk-test ~]# asterisk -rx 'manager show connected'
>   Username         IP Address                                               Start       Elapsed     FileDes   HttpCnt   Read   Write
> 0 users connected. 
> {code} 
> With {{allowmultiplelogin=yes}} action Challenge working fine. Login without challenge working fine.
> {code:title=manager.conf}
> [general]
> enabled=yes
> webenabled=no
> port=5038
> bindaddr=0.0.0.0
> allowmultiplelogin=no
> displayconnects=yes
> [admin]
> secret=secret
> read=all
> write=all
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list