how to change the default asteriskuser password

Discussion in 'General' started by caldwell, Mar 7, 2011.

  1. caldwell

    Joined:
    Nov 8, 2010
    Messages:
    22
    Likes Received:
    0
    A client needs an Elastix box secured. It seems that Elastix by default has a password for 'asteriskuser' which will allow login on the web interface (unembedded FreePBX, I believe). However, I can't find good documentation on how to change that password. There are lots of config files referencing either that user or that password, but I'm not sure if any/all of them need to be changed or if this is stored in a database somewhere totally separate.

    Help?
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I believe later versions of FreePBX have this patched, unfortunately Elastix does not actually use FreePBX but their own forked up and old version. (dicko doesn't so can't check that vulnerability, he posted a bug in the Elastix bug-tracker on this matter, but we as yet await a valid response)

    A workaround might be to go the old time honored htaccess route and not allow asteriskuser until we get clarification by PaloSanto

    http://home.golden.net/htaccess.html

    but a good point to bring up.
     
  3. jgutierrez

    Joined:
    Feb 28, 2008
    Messages:
    5,737
    Likes Received:
    0
    What I would do is the following:

    1. mysql -uroot -p (you will need to enter the root password)
    2. use mysql;
    3. set password for 'asteriskuser'@'localhost' = PASSWORD('my.New_PaSSword.20o0');
    (you will need to put your new password instead of my.New_PaSSword.20o0)
    4. quit
    5. Edit /etc/amportal.conf
    Set the password for AMPDBPASS (the same used on step #3)
    6. Edit /etc/asterisk/cdr_mysql.conf
    Set the password for asteriskuser used on step #3
    7. cd /var/wwwhtml/modules/
    Execute:
    grep -r "asteriskuser" *
    8. Change the password for all files listed, use the same password for step #3
     
  4. caldwell

    Joined:
    Nov 8, 2010
    Messages:
    22
    Likes Received:
    0
    I found several instances of 'asteriskuser,' but the files there do not contain the password referenced previously in amportal.conf. Have they changed this to dynamically use the password from other sources, or am I supposed to hard code the new password in these files somewhere?

    Thanks for your help.
     
  5. jgutierrez

    Joined:
    Feb 28, 2008
    Messages:
    5,737
    Likes Received:
    0
    Paste the reference file and the line that has a different password
     
  6. caldwell

    Joined:
    Nov 8, 2010
    Messages:
    22
    Likes Received:
    0
    This is unclear to me. Would you mind giving an example?
     
  7. jgutierrez

    Joined:
    Feb 28, 2008
    Messages:
    5,737
    Likes Received:
    0
    Paste the output of:

    grep -r "asteriskuser" /etc/asterisk/*
     
  8. caldwell

    Joined:
    Nov 8, 2010
    Messages:
    22
    Likes Received:
    0
    /etc/asterisk/cbmysql.conf:password=eLaStIx.asteriskuser.2oo7
    /etc/asterisk/cbmysql.conf:user=asteriskuser
    /etc/asterisk/cdr_mysql.conf:;password = eLaStIx.asteriskuser.2oo7
    /etc/asterisk/cdr_mysql.conf:user = asteriskuser
    /etc/asterisk/extensions_additional.conf:AMPDBUSER = asteriskuser
    /etc/asterisk/res_mysql.conf:dbuser = asteriskuser
    /etc/asterisk/res_mysql.conf:dbpass = eLaStIx.asteriskuser.2oo7

    and for /var/www/html/modules, it is:

     
  9. jgutierrez

    Joined:
    Feb 28, 2008
    Messages:
    5,737
    Likes Received:
    0
    I dont see any difficult or big deal changing the password for asterisk user, according to your output, the only files to change the password will be:

    /etc/asterisk/cbmysql.conf (password=eLaStIx.asteriskuser.2oo7)
    /etc/asterisk/cdr_mysql.conf (password = eLaStIx.asteriskuser.2oo7)
    /etc/asterisk/res_mysql.conf (dbpass = eLaStIx.asteriskuser.2oo7)
     
  10. caldwell

    Joined:
    Nov 8, 2010
    Messages:
    22
    Likes Received:
    0
    Ah. No problem changing the /etc/asterisk files. I thought I had to make changes to files in /var/www/html/modules also. And I couldn't find the password listed there anywhere.

    Thanks for the help.

    Somewhere along the way, Elastix needs to remove or disable this default user though. It's a security breach which shouldn't exist.
     
  11. jgutierrez

    Joined:
    Feb 28, 2008
    Messages:
    5,737
    Likes Received:
    0

Share This Page