[asterisk-users] Auto provisioning from public server

C F shmaltz at gmail.com
Wed Oct 27 08:51:06 CDT 2010 

Some guidelines:
1. Https
2. The file on the https server is username/pass protected.
3. The username and pass combo has access ONLY to config files it should have.
4. Directory listing should ALWAYS be disabled.

If you can't use https or username/pass then at the very least,
disable directory listing.
For Polycom phones keep in mind:
If the password to the phones http page is not changed then using the
following script one will be able to read the sip credentials, while
some might not mind it, there should be no reason for an end user to
know the sip credentials. Here is the script, just paste it into a
favorite button on your toolbar with any browser and whenever you see
asterisks on a page hit it :D
===begin script, its one line===
javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms;
for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if
(f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if
(s) alert("Password is:\n\n" + s); else alert("No passwords");})();
====end script====
This works even for saved passwords. Whats interesting is that even if
the password was never entered or saved with the browser you are
using, the Polycom interface will populate the real password masked
with asterisks.

With Polycom phones you can use the following (this is meant for when
you give a phone to a customer but they are entering the provisioning
settings):
1. Create a config file that is password protected with a temp password.
2. That config file should contain new config settings with a new
unique username/pass conbo
3. Delete that file once accessed
4. In the configs change the interface password of the phone.
5. Make sure that directory listing is disabled on the http server and
that the username/pass combo will only show this phones config files.

Hope this helps.


On Wed, Oct 27, 2010 at 8:28 AM, Andrew Latham <lathama at gmail.com> wrote:
> http://wiki.snom.com/wiki/index.php/Settings/http_client_user
>
> On Wed, Oct 27, 2010 at 9:14 AM, Jonas Kellens <jonas.kellens at telenet.be> wrote:
>> On 10/27/2010 01:55 PM, Andrew Latham wrote:
>>> Jonas
>>>
>>> A quick look at the snom wiki will tell you that I am right...
>>>
>>
>> At what page are you looking then ??
>>
>> I only see : http://wiki.snom.com/Settings/http_scheme
>>
>>
>> Jonas.
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list