[asterisk-gui] Question regarding Challenge/Response mechanism over rawman

Thu May 10 18:50:35 MST 2007

I'm trying to write some documentation for the next edition of the
O'Reilly book on Asterisk, and I'm having a problem logging in over
the rawman interface.  Specifically, I'm having problems if I try to
use the challenge/response mechanism.

First, let me set the stage:

I have a manger user set up in manager.conf, like this:

    [oreilly]
    secret = notvery
    read = system,call,log,verbose,command,agent,user,config
    write = system,call,log,verbose,command,agent,user,config

I've verified that Asterisk is indeed seeing the manager user by
typing "manager show users" at the Asterisk CLI.

I can log in just fine if I pass the username and secret directly to
rawman, like:

http://localhost:8088/asterisk/rawman?action=login&username=oreilly&secret=notvery

However, if I try to use the Challenge action and login that way, it
fails.  (For those of you not familiar with the challenge/response
system in the Asterisk Manager Interface, it allows you to get a token
that you can use to authenticate yourself without passing your secret
in plain text across the wire.  In a nutshell, you request the
challenge token, then create an md5 hash of the token and your secret
concatenated together, and then use that new has as a login key.)  I
can request the challenge token just fine, by doing:

http://localhost:8088/asterisk/rawman?action=challenge&AuthType=md5

However, when I generate the md5 key and use it to try to login, it
fails.  The following also shows up in /var/log/asterisk/messages,
which leads me to believe there's a bug:

[May 10 21:25:28] DEBUG[10718] manager.c: Manager received command 'challenge'
[May 10 21:26:08] DEBUG[10723] manager.c: Manager received command 'login'
[May 10 21:26:08] NOTICE[10723] manager.c: 127.0.0.1 tried to
authenticate with nonexistent user 'oreilly'
[May 10 21:26:09] DEBUG[10723] manager.c: Need destroy, doing it now!

Notice how it's saying that the user 'oreilly' is non-existant?  Could
that be a bug with the rawman interface?  Am I missing something
simple?  The only other thing that might be related is cookies.  I
notice that when I do the "challenge" action, a cookie is set which
looks like:

Set-Cookie: mansession_id="17778ff6"; Version="1"; Max-Age=60

My browser then sends that cookie back when I try to use the "login"
action.  However, Asterisk then sends back a *new* manager session id
to replace the old one, as shown by the conversation below:

GET /asterisk/rawman?action=login&username=oreilly&AuthType=md5&key=61508fe74adfded5e8dce58a2171f6e5
HTTP/1.1

Host: localhost:8088

User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8.0.10)
Gecko/20070313 Fedora/1.5.0.10-5.fc6 Firefox/1.5.0.10

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Cookie: mansession_id="17778ff6"

HTTP/1.1 200 OK

Server: Asterisk/SVN-branch-1.4-r61658M

Date: Fri, 11 May 2007 01:40:00 GMT

Connection: close

Content-type: text/plain

Set-Cookie: mansession_id="11b7ffb7"; Version="1"; Max-Age=60

Response: Error

Message: Authentication failed

If you have any ideas, please let me know.  (And if you've made it
this far into this email, thanks for being patient... I realize this
email is a bit long-winded.)

-Jared