[Asterisk-Dev] Asterisk Manager encryption

John Todd jtodd at loligo.com
Mon Dec 12 00:12:45 MST 2005 

[Hopefully I'm not duplicating effort, but I'm sure others have come 
up with these ideas already.  Apologies if this is a rehash of some 
conversation already under way, but I haven't yet heard about it. 
Searching through code did not reveal any hidden encryption tools in 
manager.c, but I could just be overlooking them.]

I have several Asterisk servers on the Wild Internet that I'd like to 
be able to reach without "tunneling" the connections via SSH.  I'd 
love for the Flash Operator Panel, Asterisk Manager Proxy, and 
anything else that talks to Asterisk's Manager API to be able to do 
so without relying on ssh port forwarding to ensure a secure 
connection.

Why:

   1: Creation of SSH tunnels requires adding a user on the system, 
which introduces security issues when cross-domain access is required.

   2: Creation of SSH tunnels requires that SSH be running with a 
consistent security model across all destinations.

   3: I am a big believer in encryption in the protocol, and not 
relying on tunnels.  Tunnels suck.  If you disagree with this point, 
don't read further.


So, I would propose something like this:

   1) A new configuration option in the manager.conf file is added, 
which would be "encrypt".  Values would be:
    yes = After login, all communications would be encrypted with the 
shared secret key of the manager user, regardless of client desires
    no = After login, no communications would be encrypted, regardless 
of client desires.
    optional = Client may specify encryption with "Encrypt: Yes" 
action keyword during login (this is the default if nothing is 
specified)

   2) Regardless of if the session has been started with a "secure" 
key phrase exchange, it should be the case that the shared secret key 
between the client and server should be used as a seed for a stream 
cipher or other method of encrypting the traffic between the client 
and the server.  These details are a bit beyond my grasp, but it is 
clear that very sensitive information is flowing out of manager 
interface connections.  There will be (are?) third-party services 
across the "big-I" Internet which may wish to connect to remote 
Asterisk servers, and currently those sessions are unprotected. 
There exist in Asterisk some encryption libraries which may be suited 
for this task already if they can just be re-used in this 
environment, though I'm not familiar enough with them to say that 
they will work with minimal effort.

This almost implies a new restriction on the MD5 exchange of 
passphrases for Manager logins - as a security-conscious 
administrator, I would like to forbid (globally, or per user) any 
logins that were not using the poorly-documented (but functional!) 
MD5 password exchange methods already in the Manager API, if only to 
prevent the repeated blasting of secure data across the unsecure 
network.  Maybe "secure=[yes,no,optional]" as a new modifier?


Who would do at least the encryption part?  I don't know.  I'm not 
yelling at anyone to do it, but I'm identifying the problem, 
suggesting a method, and if there is some programmer who wants to 
take up the task (hey, Dave Troy!  have another Jolt and get on this, 
eh?  ;-) I can throw them a few bucks.  But a very few bucks, so 
hopefully this will be done by someone out of need and merit, and not 
by funding.


EXAMPLE NOTES

Here is a really basic sample of what I'd expect to see if I were to 
connect to the manager interface and try to log in as a user that had 
"encrypt=yes" specified for that user ID.  (For those of you 
struggling with MD5 login processes, I created my Challenge-response 
by typing "md5 -s 617153281foobar" on a shell line to generate my Key 
below, though the addition of the non-existent "Encrypt" command will 
cause an actual login to fail.)


[test-user]
secret=foobar
encrypt=yes
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.255
permit=10.0.0.0/255.255.255.0


[root at bunkhouse asterisk]# telnet localhost 5038
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Asterisk Call Manager/1.0
Action: Challenge
AuthType: MD5

Response: Success
Challenge: 617153281

Action: Login
AuthType: MD5
Username: test-user
Key: 50eb4a3b155f6c4913ed3345dcba21e0
Encrypt: Yes

Response: Success
Message: Authentication accepted
Message: Encryption started with shared keys

<binary encrypted data starts to flow here, containing Manager events>



JT

More information about the asterisk-dev mailing list