[asterisk-gui] Question regarding Challenge/Response mechanism over rawman

Pari Nannapaneni pari at digium.com
Fri May 11 11:28:31 MST 2007 

Hi Jared,

the challenge/token/md5 stuff does work fine over http, but you need to make sure you use
the same mansession_id you got along with the token, while making the login request.

all Browsers do this automatically by default - so you do not have to actually do any thing other than
calculating MD5( token + password ) and making a new request.

Below is an example that worked fine in my test.

thanks
-Pari


<script src="scripts/prototype.js"></script>
<script src="http://pajhome.org.uk/crypt/md5/md5.js"></script>
<script>
//***** test.html (put in /var/lib/asterisk/static-http/config/test.html *****

var asterisk_rawmanPath = "../../rawman" ;
var manager_uname = 'admin';
var manager_pwd = 'secret';

function makerequest(a, b){
	var tmp;
	var opt = {
		method: 'get',
		parameters: a,
		asynchronous: true,
		onComplete: function(t){ if(b){ b(t.responseText); } }
	};
	tmp = new Ajax.Request( asterisk_rawmanPath, opt);
}

function f2(t){	alert(t);}

function f1(t){
	var d = hex_md5( t.split("Challenge: ")[1].strip() + manager_pwd);
	makerequest( 'action=login&username='+manager_uname+'&AuthType=md5&key='+ d, f2);
}

function f3(){
	makerequest('action=challenge&username='+manager_uname+'&AuthType=md5', f1);
}
</script>
<body onload="f3();"></body>








Jared Smith wrote:
> I'm trying to write some documentation for the next edition of the
> O'Reilly book on Asterisk, and I'm having a problem logging in over
> the rawman interface.  Specifically, I'm having problems if I try to
> use the challenge/response mechanism.
> 
> First, let me set the stage:
> 
> I have a manger user set up in manager.conf, like this:
> 
>    [oreilly]
>    secret = notvery
>    read = system,call,log,verbose,command,agent,user,config
>    write = system,call,log,verbose,command,agent,user,config
> 
> I've verified that Asterisk is indeed seeing the manager user by
> typing "manager show users" at the Asterisk CLI.
> 
> I can log in just fine if I pass the username and secret directly to
> rawman, like:
> 
> http://localhost:8088/asterisk/rawman?action=login&username=oreilly&secret=notvery 
> 
> 
> However, if I try to use the Challenge action and login that way, it
> fails.  (For those of you not familiar with the challenge/response
> system in the Asterisk Manager Interface, it allows you to get a token
> that you can use to authenticate yourself without passing your secret
> in plain text across the wire.  In a nutshell, you request the
> challenge token, then create an md5 hash of the token and your secret
> concatenated together, and then use that new has as a login key.)  I
> can request the challenge token just fine, by doing:
> 
> http://localhost:8088/asterisk/rawman?action=challenge&AuthType=md5
> 
> However, when I generate the md5 key and use it to try to login, it
> fails.  The following also shows up in /var/log/asterisk/messages,
> which leads me to believe there's a bug:
> 
> [May 10 21:25:28] DEBUG[10718] manager.c: Manager received command 
> 'challenge'
> [May 10 21:26:08] DEBUG[10723] manager.c: Manager received command 'login'
> [May 10 21:26:08] NOTICE[10723] manager.c: 127.0.0.1 tried to
> authenticate with nonexistent user 'oreilly'
> [May 10 21:26:09] DEBUG[10723] manager.c: Need destroy, doing it now!
> 
> Notice how it's saying that the user 'oreilly' is non-existant?  Could
> that be a bug with the rawman interface?  Am I missing something
> simple?  The only other thing that might be related is cookies.  I
> notice that when I do the "challenge" action, a cookie is set which
> looks like:
> 
> Set-Cookie: mansession_id="17778ff6"; Version="1"; Max-Age=60
> 
> My browser then sends that cookie back when I try to use the "login"
> action.  However, Asterisk then sends back a *new* manager session id
> to replace the old one, as shown by the conversation below:
> 
> GET 
> /asterisk/rawman?action=login&username=oreilly&AuthType=md5&key=61508fe74adfded5e8dce58a2171f6e5 
> 
> HTTP/1.1
> 
> Host: localhost:8088
> 
> User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8.0.10)
> Gecko/20070313 Fedora/1.5.0.10-5.fc6 Firefox/1.5.0.10
> 
> Accept: 
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 
> 
> 
> Accept-Language: en-us,en;q=0.5
> 
> Accept-Encoding: gzip,deflate
> 
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> 
> Keep-Alive: 300
> 
> Connection: keep-alive
> 
> Cookie: mansession_id="17778ff6"
> 
> 
> 
> HTTP/1.1 200 OK
> 
> Server: Asterisk/SVN-branch-1.4-r61658M
> 
> Date: Fri, 11 May 2007 01:40:00 GMT
> 
> Connection: close
> 
> Content-type: text/plain
> 
> Set-Cookie: mansession_id="11b7ffb7"; Version="1"; Max-Age=60
> 
> 
> 
> Response: Error
> 
> Message: Authentication failed
> 
> 
> If you have any ideas, please let me know.  (And if you've made it
> this far into this email, thanks for being patient... I realize this
> email is a bit long-winded.)
> 
> -Jared
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
> 
> asterisk-gui mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-gui

More information about the asterisk-gui mailing list