On Tue, 16 Jan 2018 18:18:18 +0200 Tzafrir Cohen <tzafrir.cohen at xorcom.com> wrote:> On Tue, Jan 16, 2018 at 11:05:01AM +0100, Paul Neuwirth wrote: > > Hello group, > > > > what is the preferred method to connect to asterisk cli over > > network? I need to run asterisk cli commands remotely. > > As others have mentioned: the manager interface is normally better for > running over network. > > The manager interface also has an action calld 'Command' that runs a > CLI command. In fact, contrib/scripts/astcli uses it to allow > providing a remote console. > > Permissions needed for your manager user: For most things just: > > write=command > > To also be able to originate calls: > > write=command,originate > > To also be able to restart / reload: > > write=command,system > > > Sharing the unix socket through NFS, if that's working? > > No. > > > Or any other approaches, despite using SSH or rlogin, rsh. > > SSH: should work, sure. However, it means you ssh to root at the > remote host. Better set a key with 'command' explicitly set in > authorized_keys for this. > > Rlogin, rsh: seriously? Anybody still uses those? Not only are they > way less secure than SSH, they are also way less conveninet than any > decent SSH implementation. > > Anyway, as mentioned before: you should probably use AMI. >Thank you both. That was (most likely) what I was looking for - but still some worries about sending plaintext passwords... For my simple commands a simple netcat command works for me. Previously used asterisk -rx in scripts. But now asterisk servers and other processes are split over multiple physical servers. A binary or script, making use of encryption and miming asterisk -r would be best. I am wondering, why such a tool is not part of asterisk itself... maybe I give this a try setting up a user (group asterisk) with asterisk -r as "login shell".. and use ssh.. or something like that. It should be that safe, no other commands can be executed..
On Tuesday 16 January 2018 at 18:19:30, Paul Neuwirth wrote:> On Tue, 16 Jan 2018 18:18:18 +0200 Tzafrir Cohen wrote: > > > Anyway, as mentioned before: you should probably use AMI. > > Thank you both. That was (most likely) what I was looking for - but > still some worries about sending plaintext passwords...AMI can operate over TLS. Antony. -- Numerous psychological studies over the years have demonstrated that the majority of people genuinely believe they are not like the majority of people. Please reply to the list; please *don't* CC me.
true, here is how to do it https://blog.russellbryant.net/2008/01/30/asterisk-16-features-tls-for-manager-ami-and-http/ On Tue, Jan 16, 2018 at 5:27 PM, Antony Stone <Antony.Stone at asterisk.open.source.it> wrote:> On Tuesday 16 January 2018 at 18:19:30, Paul Neuwirth wrote: > >> On Tue, 16 Jan 2018 18:18:18 +0200 Tzafrir Cohen wrote: >> >> > Anyway, as mentioned before: you should probably use AMI. >> >> Thank you both. That was (most likely) what I was looking for - but >> still some worries about sending plaintext passwords... > > AMI can operate over TLS. > > > Antony. > > -- > Numerous psychological studies over the years have demonstrated that the > majority of people genuinely believe they are not like the majority of people. > > Please reply to the list; > please *don't* CC me. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
On Tue, Jan 16, 2018 at 06:19:30PM +0100, Paul Neuwirth wrote:> Thank you both. That was (most likely) what I was looking for - but > still some worries about sending plaintext passwords...The AMI interface can use a Challenge-Response mechanisme for logins, if you are this concerned you should use this even over TLS/SSL/SSH.