Ticket #2498 (new Feature Requests)

Opened 4 years ago

Last modified 2 years ago

Ability to use md5secret

Reported by: flewid Assigned to: p_lindheimer
Priority: minor Milestone: Undetermined
Component: Core - Users/Devices Version: 2.3.1
Keywords: md5secret, extensions, user, device, sip Cc:
Confirmation: Confirmed SVN Revision (if applicable):
Backend Engine: Asterisk 1.4.x Backend Engine Version:

Description

It looks like md5secrets can't be used with FreePBX. This doesn't appear to be a feature request, because many devices (and security aware administrators) want encrypted passwords. I've modified 2.3 to include this functionality and am including the said code here for you to add into the main trunk, and possibly to IAX devices as well.

What This Hack Does:

  1. Allow you to specify secret or md5secret for peer
  2. Allow you to type plaintext secret in md5secret field, and it will run md5sum

What This Hack Doesn't Do:

  1. Add MD5Secret Ability to IAX Devices
  2. Work if your asterisk realm is set to something other than "asterisk".
  3. Allow device passwords longer than 32 characters.
  4. Display Popup warnings if no passwords are entered

How to enable this on your FreePBX / Asterisk 1.4 Installation:

  1. Edit the Functions.inc.php in the core modules directory of freepbx 
          # cd /var/www/admin/modules/core/functions.inc.php
          # cp functions.inc.php functions.inc.php.original
          # nano functions.inc.php
  1. Look for the function named "core_Devices_addsip" and replace it with the following: 

  //add to sip table
          function core_devices_addsip($account) {
          global $db;
          global $currentFile;

          foreach ($_REQUEST as $req=>$data) {
          if ( substr($req, 0, 8) == 'devinfo_' ) {
          $keyword = substr($req, 8);
          if ( $keyword == 'dial' && $data == '' ) {
          $sipfields[] = array($account, $keyword, 'SIP/'.$account);
          } elseif ($keyword == 'mailbox' && $data == '') {
          $sipfields[] = array($account,'mailbox',$account.'@device');
          } elseif ($keyword == 'md5secret' && $data != '') {
          $sipfields[] = array($account, 'md5secret', md5($account.':asterisk:'.$data));
          } else {
          $sipfields[] = array($account, $keyword, $data);
          }
          }
          }
  1. Directly following the "core_devices_addsip" function, is the sipfields array. Replace it with the following piece of code: 

 if ( !is_array($sipfields) ) { // left for compatibilty....lord knows why !
      $sipfields = array(
      //array($account,'account',$account),
      array($account,'accountcode',(isset($_REQUEST['accountcode']))?$_REQUEST['accountcode']:''),
      array($account,'secret',(isset($_REQUEST['secret']))?$_REQUEST['secret']:''),
      array($account,'md5secret', (isset($_REQUEST['md5secret']))? $_REQUEST['md5secret']:''),
      array($account,'canreinvite',(isset($_REQUEST['canreinvite']))?$_REQUEST['canreinvite']:'no'),
      array($account,'context',(isset($_REQUEST['context']))?$_REQUEST['context']:'from-internal'),
      array($account,'dtmfmode',(isset($_REQUEST['dtmfmode']))?$_REQUEST['dtmfmode']:''),
      array($account,'host',(isset($_REQUEST['host']))?$_REQUEST['host']:'dynamic'),
      array($account,'type',(isset($_REQUEST['type']))?$_REQUEST['type']:'friend'),
      array($account,'mailbox',(isset($_REQUEST['mailbox']) && !empty($_REQUEST['mailbox']))?$_REQUEST['mailbox']:$account.'@device'),
      array($account,'username',(isset($_REQUEST['username']))?$_REQUEST['username']:$account),
      array($account,'nat',(isset($_REQUEST['nat']))?$_REQUEST['nat']:'yes'),
      array($account,'port',(isset($_REQUEST['port']))?$_REQUEST['port']:'5060'),
      array($account,'qualify',(isset($_REQUEST['qualify']))?$_REQUEST['qualify']:'yes'),
      array($account,'callgroup',(isset($_REQUEST['callgroup']))?$_REQUEST['callgroup']:''),
      array($account,'pickupgroup',(isset($_REQUEST['pickupgroup']))?$_REQUEST['pickupgroup']:''),
      array($account,'disallow',(isset($_REQUEST['disallow']))?$_REQUEST['disallow']:''),
      array($account,'allow',(isset($_REQUEST['allow']))?$_REQUEST['allow']:'')
      //array($account,'record_in',(isset($_REQUEST['record_in']))?$_REQUEST['record_in']:'On-Demand'),
      //array($account,'record_out',(isset($_REQUEST['record_out']))?$_REQUEST['record_out']:'On-Demand'),
      //array($account,'callerid',(isset($_REQUEST['description']))?$_REQUEST['description']." <".$account.'>':'device'." <".$account.'>')
      );
      }
  1. Look for the SIP Temporary Arrays, around line 2973 and add this value. We're not sure if it's required, but it works with it here so we left it. 

    $tmparr['md5secret'] = array('value' => '', 'level' => 0);
  1. Exit and save the file
  2. Refresh FreePBX Extension and you should now see md5secret available as an option. This field also appears on the add new sip extension page as well.

Attached is the modified functions.inc.php to diff against the original copy.

Attachments

functions.inc.php.new.txt (136.7 kB) - added by flewid on 11/18/07 22:15:52.
Modified functions.inc.php for md5secret
md5secret.patch (4.5 kB) - added by flewid on 11/28/07 18:42:43.
Patch File

Change History

11/18/07 22:15:52 changed by flewid

  • attachment functions.inc.php.new.txt added.

Modified functions.inc.php for md5secret

11/28/07 18:42:43 changed by flewid

  • attachment md5secret.patch added.

Patch File

11/28/07 18:43:52 changed by flewid

Added a proper patch file. Please patch source so when we upgrade our servers it doesn't get overwritten :)

02/07/08 11:05:26 changed by p_lindheimer

  • confirmation changed from Unreviewed to Confirmed.
  • type changed from Bugs to Feature Requests.
  • milestone changed from Cut Line to 3.0.

moving to next milestone to consider the feature request

07/15/08 19:46:51 changed by p_lindheimer

  • milestone changed from 2.5 to 3.0.

review when we look at device and users changes.

11/11/08 04:44:18 changed by mbrevda

is this really helpful? http://alan.blog-city.com/cracking_mysqls_md5_function__within_seconds.htm

11/11/08 04:47:53 changed by flewid

Well, It's not so much for the security as in that it seems Cisco phones with the SIP image just won't work unless you are using MD5SECRET instead of Secret. This appears to be confirmed on the 7970 and I think the 7960, but I would have to double check the last one.

Some people like Cisco phones :)

11/12/08 02:43:39 changed by flewid

Hi Lazytt, I made this comment yesterday but apparently there were issues last night with Trac :)

It should be an option, not a "you must set this" because you're right, some phones don't support it (grandstream I believe is one, maybe that's changed now). I do know that most phones do support it, so I'm sure it will be a welcome addition.

11/12/08 02:44:47 changed by flewid

I should also note that I'm still using this patch with Asterisk 1.6 + FreePBX 2.5 Latest, and it still applies with no issues.

08/18/09 16:22:08 changed by p_lindheimer

  • milestone changed from 2.6 to 2.7.