Hi, Folks --
I am hoping that someone here has a helpful solution to this issue, as I have been trying to resolve this for a while now with no luck.
I am running FreePBX 2.9.0.5. I recently received the notification in FreePBX "You are running with the default, well-known Asterisk Manager Password" message, and so I changed the value of AMPMGRPASS in the two files that I am supposed to -- namely, /etc/amportal.conf and /etc/asterisk/manager.conf.
However, upon attempting to reload the config in FreePBX, I get the following fatal error:
----------------
exit: 1
Mon, 30 May 2011 18:21:35 -0700 - Failed to login.
[FATAL] Unable to connect to Asterisk Manager from /var/lib/asterisk/bin/retrieve_conf, aborting
----------------
Needless to say, the Asterisk status in the FreePBX GUI is now red, and none of the areas such as Extensions, etc., are accessible.
Looking for other instances of the default Asterisk Manager Password in the config files, I found it also in the file /etc/asterisk/extensions_additional.conf but changing it there as well had no effect. I have taken all obvious steps, such as restarting the server, etc.
Does anyone know how I can get FreePBX working properly again without changing back to the default Asterisk Manager Password (and presumably, re-opening the vulnerability)?
Thanks, any assistance would be greatly appreciated.
-- Wentil
PS: As an aside, if this is a security hole (as would seem to be indicated by the error message), the process of changing this password should be much easier, and indeed, each install should use a randomly-generated password instead of every install using the same default password.
The FreePBX distribution provides automatic random passwords. If you install by hand or via a distribution that does not provide this facility you must take care of it yourself.
WRT your question, did your restart Asterisk?
Make sure the passwords in manager.conf and amportal.conf match exactly then run an amportal stop/amportal start.
Scott Holtzman, CTO
Micro Advantage, Inc.
http://www.microadv.com
Hi, Skyking. Thanks for taking the time to reply and help me out, I really appreciate it!
To explain a bit further, I installed the latest version of FreePBX from the ISO available at the FreePBX site, and did all the upgrades up to Beta from inside the GUI, and at the end of it all, the default Asterisk Manager Password was still in place (it's a Hidden Setting). I'm kind of surprised FreePBX did not provide the random password functionality on the ISO, but that's neither here nor there -- if they've added it in the source, I'm sure it will make it to the ISO version in time. In the meanwhile, I can just keep changing it by hand... well, hopefully.
Anyway, WRT suggesting restarting Asterisk, yes, certainly I restarted Asterisk. As per my original post, I even restarted the entire server. There was no change.
Looking at the top of the /etc/amportal.conf I took note of the warning:
#;-----------------------------------------------------------------------------$
#; Do NOT edit this file as it is auto-generated by FreePBX. All modifications $
#; this file must be done via the Web GUI. There are alternative files to make
#; custom modifications, details at: http://freepbx.org/configuration_files
#;-----------------------------------------------------------------------------$
Which leads me to believe I should have changed it through the GUI instead of via shell and nano. Why I didn't see that before I don't know. Although, it shouldn't make a difference for test purposes.
So I am changing it back to the default password and will try altering it in the Advanced Settings page under FreePBX. I'll post my results here momentarily.
I changed all three config files back to the default password, and everything worked again.
So I then went into the Advanced Settings area, revealed the Hidden and Read-Only options, overrode the Read-Only options and changed the password there.
The same problem, and the same error, occurs as when I manually edited the files.
I reverted to the default password and it works again.
Obviously we can't leave it with the default password set like this -- it surely must be a security hole given the "well-known" password warning that popped up in FreePBX, but I'm not sure why it's a Hidden Setting if it's a security hole.
Any thoughts or suggestions?
The distro does indeed generate a random password. I am not sure what is happening.
I do have a question, why would you expose the MySQL port to the Internet? There is no good reason. If MySQL is not exposed the PWD issue is mute.
Scott Holtzman, CTO
Micro Advantage, Inc.
http://www.microadv.com
Hi again, Skyking!
I am not exposing the MySQL Port.
The only ports I am exposing are SSH, WEB, SIP:TCP, SIP:UDP, UDP 5060-5080 and UDP 10000-20000, and I start/stop the httpd service (it's set to not start up on boot by default) when I need it, shutting it down after I am done accessing the FreePBX interface.
I am only concerned because FreePBX warned that I was still using the default, well-known password.
If it is a moot point, why would FreePBX issue a warning?
I would very much like to change the password, but the normal methods just don't seem to be working.
-- Wentil
Might anyone else have experienced this and have found a way to change the Asterisk Manager Password without causing this error?
Distro installes DO use random password. Where did you try to change the password from?
Moshe Brevda
Hi Moshe --
Thanks for taking the time to write, and to help me out on this. I really, really appreciate it.
I installed from the latest ISO image downloaded from the FreePBX site, "AsteriskNOW-1.7.1-i386.iso". From there I performed all available updates through the FreePBX GUI and am now running FreePBX 2.9.0.5. I was notified by FreePBX the other day that the default Asterisk Manager Password was in place, and checking, I found that to be true (although I had changed all other passwords when asked).
Initially I tried changing that Default Password from bash using nano in the three conf files that contain it:
-- /etc/amportal.conf
-- /etc/asterisk/manager.conf
-- /etc/asterisk/extensions_additional.conf
But once it was changed, FreePBX lost its Asterisk Status and would not perform a config update. Even forcing a reload through rebooting the server did not change this. So, I changed the password back to the default -- and all worked fine once again.
Re-reading the notice at the top of the config files, I went into the Advanced Settings area, revealed the Hidden and Read-Only options to show the Asterisk Manager Password, overrode the Read-Only options and changed the password there.
Yet the same problem, and the same error, occured as when I manually edited the files -- a red Asterisk status and FreePBX would not reload its config files.
So, I reverted to the default password and it worked again.
Is there some other area in the FreePBX GUI to change the Asterisk Manager Password, other than the Hidden area under the Advanced Settings tab? What am I doing wrong?
-- Wentil
Your not doing anything wrong. Due to the inner workings of FreePBX, your encountering a "race condition" where two event need to take place after each other - and each needs the other to go first. Try this: edit manager.conf then update Advanced Settings. Then, from the asterisk cli do a 'module reload manager'. Now see if FreePBX will play nice.
Moshe Brevda
Hi Moshe --
That did it! The password has been changed, and FreePBX is working fine.
Thanks once again for your help in this matter -- really!
I hope this thread is useful to other folks who experience this same issue.
-- Wentil
...and I hope that we close the bug thats open on this issue so that no one will need this thread :-)
Moshe Brevda
That's always best. :-)
Well, the bad news is that someone definitely needed this info. The good news is that you guys worked this out and blazed the trail for me.
I certainly don't want to cast any stones in my glass house, but as a developer, I have to ask the question, how the heck did this make it through any testing? Changing the password from the default should be a pretty basic test case.
At any rate, I'm just glad to be back up and running. You guys are awesome, thanks for a great product!
Jamie
Now works again!
It solved my issues with freePBX 2.9.
Although I still have a blank page trying to use the embedded freePBX in Elastix 2.2 :-((
But hé I can config use "ipaddress"/admin/index.php (this is Asterisk, I know)
Thanks.
I am also having this problem.
I found this thread by searching for errors from the original poster. I've tried everything in this thread, including the resolution, but I must be doing it wrong.
To the point, that even the default password doesn't work.
Can anyone lend a hand?
I have followed this procedure (maybe wrong)
edited /etc/asterisk/manager.conf
edited Advanced Settings (and clicked save, but not Apply -- it will fail)
I've done "module reload manager" from the CLI.
While in the console, I see this:
== Connect attempt from '127.0.0.1' unable to authenticate
And retrieve_conf shows me this:
[asterisk@pbx ~]$ /var/lib/asterisk/bin/retrieve_conf
[FATAL] Unable to connect to Asterisk Manager from /var/lib/asterisk/bin/retrieve_conf, aborting
I'm unsure of what else do to.
You are in a race condition, follow these steps:
view /etc/amportal.conf
Change /etc/asterisk/manager.conf to match amportal settings.
The command is "manager reload" from the asterisk CLI.
You should now be all set.
Scott Holtzman, CTO
Micro Advantage, Inc.
http://www.microadv.com
Well, I got this working. I went over everything.
Finally, I decided to run a tcpdump on port 5038, and I trapped the password that FreePBX was sending to Asterisk. I changed asterisk to this password, and everything played nice.
It wasn't the default password, and it wasn't my new password. but it was a password I had changed while testing. I still do not know where that password was stored. I manually changed amportal.conf and manager.conf... but this password was stored elsewhere.
What command did you use to retrieve the password?
i tried "tcpdump -i any -v tcp port 5038 > dump"
but that's not really working.
Yes starting with 2.9 it is stored and read from the MySQL Database not amportal.conf
Tony Lewis
Schmooze Com, Inc.
FreePBX Developer
How can I view/change that password in the MySQL Database?
I had a similar experience which was solved by adding
permit=127.0.0.1/255.255.255.0
to [admin] in manager.conf
i entered a new password into ./install_FreePBX and apply config fails with retrieve_conf encounters an error.
unable to set advanced settings to look at, or change, AMPMGRPASSWORD, as apparently a reload_config is required (which of course doesn't work because cannot connect)
looking in database, default password is still there; configuration files have different password.
changing password in database doesn't seem to effect the change; tcpdump shows NO packets when apply config clicked.
changing password (to default) in manager.conf, amportal.conf, and "module reload manager" has no apparent effect.
rebooting didn't help.