[Asterisk-Dev] Asterisk Manager encryption

Kristian Kielhofner kris at krisk.org
Mon Dec 12 11:33:32 MST 2005 

John Todd wrote:
> [Hopefully I'm not duplicating effort, but I'm sure others have come up 
> with these ideas already.  Apologies if this is a rehash of some 
> conversation already under way, but I haven't yet heard about it. 
> Searching through code did not reveal any hidden encryption tools in 
> manager.c, but I could just be overlooking them.]
> 
> I have several Asterisk servers on the Wild Internet that I'd like to be 
> able to reach without "tunneling" the connections via SSH.  I'd love for 
> the Flash Operator Panel, Asterisk Manager Proxy, and anything else that 
> talks to Asterisk's Manager API to be able to do so without relying on 
> ssh port forwarding to ensure a secure connection.
> 
> Why:
> 
>   1: Creation of SSH tunnels requires adding a user on the system, which 
> introduces security issues when cross-domain access is required.
> 
>   2: Creation of SSH tunnels requires that SSH be running with a 
> consistent security model across all destinations.
> 
>   3: I am a big believer in encryption in the protocol, and not relying 
> on tunnels.  Tunnels suck.  If you disagree with this point, don't read 
> further.
> 
> 
> So, I would propose something like this:
> 
>   1) A new configuration option in the manager.conf file is added, which 
> would be "encrypt".  Values would be:
>    yes = After login, all communications would be encrypted with the 
> shared secret key of the manager user, regardless of client desires
>    no = After login, no communications would be encrypted, regardless of 
> client desires.
>    optional = Client may specify encryption with "Encrypt: Yes" action 
> keyword during login (this is the default if nothing is specified)
> 
>   2) Regardless of if the session has been started with a "secure" key 
> phrase exchange, it should be the case that the shared secret key 
> between the client and server should be used as a seed for a stream 
> cipher or other method of encrypting the traffic between the client and 
> the server.  These details are a bit beyond my grasp, but it is clear 
> that very sensitive information is flowing out of manager interface 
> connections.  There will be (are?) third-party services across the 
> "big-I" Internet which may wish to connect to remote Asterisk servers, 
> and currently those sessions are unprotected. There exist in Asterisk 
> some encryption libraries which may be suited for this task already if 
> they can just be re-used in this environment, though I'm not familiar 
> enough with them to say that they will work with minimal effort.
> 
> This almost implies a new restriction on the MD5 exchange of passphrases 
> for Manager logins - as a security-conscious administrator, I would like 
> to forbid (globally, or per user) any logins that were not using the 
> poorly-documented (but functional!) MD5 password exchange methods 
> already in the Manager API, if only to prevent the repeated blasting of 
> secure data across the unsecure network.  Maybe 
> "secure=[yes,no,optional]" as a new modifier?
> 
> 
> Who would do at least the encryption part?  I don't know.  I'm not 
> yelling at anyone to do it, but I'm identifying the problem, suggesting 
> a method, and if there is some programmer who wants to take up the task 
> (hey, Dave Troy!  have another Jolt and get on this, eh?  ;-) I can 
> throw them a few bucks.  But a very few bucks, so hopefully this will be 
> done by someone out of need and merit, and not by funding.
> 
> 
> EXAMPLE NOTES
> 
> Here is a really basic sample of what I'd expect to see if I were to 
> connect to the manager interface and try to log in as a user that had 
> "encrypt=yes" specified for that user ID.  (For those of you struggling 
> with MD5 login processes, I created my Challenge-response by typing "md5 
> -s 617153281foobar" on a shell line to generate my Key below, though the 
> addition of the non-existent "Encrypt" command will cause an actual 
> login to fail.)
> 
> 
> [test-user]
> secret=foobar
> encrypt=yes
> deny=0.0.0.0/0.0.0.0
> permit=127.0.0.1/255.255.255.255
> permit=10.0.0.0/255.255.255.0
> 
> 
> [root at bunkhouse asterisk]# telnet localhost 5038
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> Asterisk Call Manager/1.0
> Action: Challenge
> AuthType: MD5
> 
> Response: Success
> Challenge: 617153281
> 
> Action: Login
> AuthType: MD5
> Username: test-user
> Key: 50eb4a3b155f6c4913ed3345dcba21e0
> Encrypt: Yes
> 
> Response: Success
> Message: Authentication accepted
> Message: Encryption started with shared keys
> 
> <binary encrypted data starts to flow here, containing Manager events>
> 
> 
> 
> JT

JT,

	As another poster pointed out, stunnel:

http://stunnel.mirt.net/index.html

	Is an excellent solution for generic tunneling without messing with 
OpenSSH.  It supports passwords, x509 certs, and any algo that you have 
in openssl.

	Although I do think it would be nice to see more crypto in Asterisk...

-- 
Kristian Kielhofner

More information about the asterisk-dev mailing list