Avoiding plaintext passwords in manager.conf

I have an installation of Asterisk 17.4.0 and have AMI enabled. The user external applications use to connect with AMI is configured as follows in manager.conf:

[myuser]
secret = password
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting
writetimeout = 5000

The question I have is if it possible to configure the secret property in the same way you can for an encrypted password in ari.conf. For example like the following from the ARI documentation:

[asterisk-supersecret]
type = user
read_only = no
password = $6$nqvAB8Bvs1dJ4V$8zCUygFXuXXp8EU3t2M8i.N8iCsY4WRchxe2AYgGOzHAQrmjIPif3DYrvdj5U2CilLLMChtmFyvFa3XHSxBlB/
password_format = crypt

Is there a way to configure my AMI user in the same way setting the secret property to the crypt format above? If not, is there another way I could go about protecting the secret? Additionally if there is any in documentation on what properties are available to be used in the manager.conf available anywhere, that would be majorly helpful as well. Thanks in advance.

You can’t change the way passwords are stored, but you can avoid sending them in the clear over a manager connection, by using one or both of

  • Encrypting your AMI connections via SSL/TLS
  • Using challenge/response authentication instead of plaintext Login.

Manager’s documentation for the .conf file would be the sample configuration[1].

[1] asterisk/configs/samples/manager.conf.sample at 17.4.0 · asterisk/asterisk · GitHub

Thanks for your response. Clarification: We are using v18.6.0, not v17.4.0. We are establishing a connection over SSL as you suggested, but we still need to resolve storing that secret value as cleartext in the manager.conf. But your answer seems to indicate that it’s not possible.

Thanks for your response. Clarification: We are using v18.6.0, not v17.4.0. However the v18.6.0 sample conf documentation does not specify any option to encrypt the secret value rather than plain text, indicating such a thing is not supported. Can you confirm that it is not supported? Also, as a project lead, do you know of any plans to support password encryption for manager.conf in the future?

If it’s not in the .conf file, it’s not supported. I know of noone working on such a thing. You can submit a feature request here[1] if you want.

[1] GitHub - asterisk/asterisk-feature-requests: A place to submit feature and improvement requests for the Asterisk project. Contains no code.

Note that hashed passwords are fundamentally incompatible with challenge/response authentication. In order for each side to convince the other it knows the shared secret, it really has to know it, not a hash of it.

I suppose another option might be to implement something like SRP.

You can, though, use clear text passwords over an encrypted connection, as long as the password sender has authenticated the receiver, by public key means. That is how most web site logins protect the password in transit, as the HTTP mechanisms don’t give the designers the freedom to produce non-standard user interfaces, that they desire.

(The worst example of the trade off that you refer to was the double hashing that was used by Microsoft; although the stored password didn’t look like the user one, knowing it was still sufficient to gain access in polynomial time.)

Ok I understand now, essentially I’m trying to do something that is not possible. Thanks all for the info.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.