3-Factor Authentication and Vicidial WebPhone

Discussions about development of VICIDIAL and astGUIclient

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

3-Factor Authentication and Vicidial WebPhone

Postby jerryriggin » Thu Apr 20, 2017 1:36 pm

Greetings, All.

I have a client who needs to allow agents to login as local agents over the public IP. To make this secure, in addition to password conventions, I plan to text a one-time-code to the agent's cell phone (setup in the vicidial_users table) after they have entered their username and password. Then they will be required to enter the code they received to authenticate.

I have 2 questions.

1. This seems relatively simple -- am I re-inventing the wheel?
2. Does the Vicidial web phone and/or the PBXWebPhone use port 5060 or an HTTPS tunnel for SIP? If 5060, that makes it a bit less simple to be secure. In that case what is the best way insert the agent's current IP from login request into the SIP invite for the login call?

Thanks for your thoughts.

BTW: I will post all the code here.
jerryriggin
 
Posts: 21
Joined: Sun Oct 30, 2011 10:45 pm

Re: 3-Factor Authentication and Vicidial WebPhone

Postby mflorell » Fri Apr 21, 2017 5:51 am

I've never set up 3-factor authentication like that, but we did just add IP-whitelisting per user group and web resource to the svn/trunk codebase recently though.

As for WebRTC, while Asterisk uses SIP accounts for it, it is very different and operates over it's own port for the encrypted RTP stream. Are you using it now?
mflorell
Site Admin
 
Posts: 15807
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: 3-Factor Authentication and Vicidial WebPhone

Postby jerryriggin » Fri Apr 21, 2017 9:49 am

I have played with some of the resources at https://webrtc.org/, but it also says "Signaling methods and protocols are not specified by WebRTC." So my understanding is that signalling is determined by the application. There are many signaling methods listed at https://github.com/muaz-khan/WebRTC-Exp ... gnaling.md, so I was wondering what methods the new Vicidial web phone and PBXWebPhone, and which would integrate best with my 3-factor authentication scheme. I guess my basic question is, once I have established an HTTPS connection with the remote agent's browser, what else is required to register the agent's phone so it can get the login call from Vicidial. Do I need to use STUN and/or TURN servers?

I know I could install PBXWebPhone or the Vicidial web phone and experiment, (and I will) but I'm just trying to gather as much information on the required config before I begin.
jerryriggin
 
Posts: 21
Joined: Sun Oct 30, 2011 10:45 pm

Re: 3-Factor Authentication and Vicidial WebPhone

Postby chornyi_taras » Fri Apr 21, 2017 10:02 am

I think that you can secure port 8089(default web sockets port used by PBXWebphone) for signalling and use turn server for sending audio to asterisk(Vicidial).
ViciBox: 7.0.3 | VERSION: 2.12-560aBUILD: 160617-1427 | Webphone: PBXWebPhone

Skype: tarasukcho
chornyi_taras
 
Posts: 59
Joined: Tue Jun 14, 2016 3:41 pm
Location: L'viv, Ukraine

Re: 3-Factor Authentication and Vicidial WebPhone

Postby mflorell » Fri Apr 21, 2017 11:45 am

If you send an email in to support@vicidial.com, then mcargile will send you the instructions for using the beta VICIphone WebRTC phone. We have several clients and non-clients using it in production at this point, and it seems to be fairly stable when using Asterisk 11 servers.
mflorell
Site Admin
 
Posts: 15807
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: 3-Factor Authentication and Vicidial WebPhone

Postby chornyi_taras » Fri Apr 21, 2017 12:37 pm

mflorell wrote:If you send an email in to support@vicidial.com, then mcargile will send you the instructions for using the beta VICIphone WebRTC phone. We have several clients and non-clients using it in production at this point, and it seems to be fairly stable when using Asterisk 11 servers.

Matt did you patch asterisk 11? Cause AFAIK asterisk version that sipped with vicibox desn not work with latest firefox(issue related to webrtc support in asterisk)
ViciBox: 7.0.3 | VERSION: 2.12-560aBUILD: 160617-1427 | Webphone: PBXWebPhone

Skype: tarasukcho
chornyi_taras
 
Posts: 59
Joined: Tue Jun 14, 2016 3:41 pm
Location: L'viv, Ukraine

Re: 3-Factor Authentication and Vicidial WebPhone

Postby mflorell » Fri Apr 21, 2017 12:46 pm

I know we patched either Asterisk 11 or VICIphone, because we just set a new client up with the VICI webphone last week and it's been working great for them. To be clear, I didn't personally do the patching :)
mflorell
Site Admin
 
Posts: 15807
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: 3-Factor Authentication and Vicidial WebPhone

Postby jerryriggin » Fri Apr 21, 2017 12:57 pm

Thanks! I'm installing PBXWebphone on ViciBox v2.14b0.5 virtual machine according to your wiki and other relevant posts. I'll develop the 3-factor authentication on that system and post again when get confused, which will likely not be too long. :)
jerryriggin
 
Posts: 21
Joined: Sun Oct 30, 2011 10:45 pm

Re: 3-Factor Authentication and Vicidial WebPhone

Postby jerryriggin » Fri Apr 21, 2017 1:05 pm

Thanks, Matt. I spoke with mcargile last week and I believe he will be installing VIciphone on their system. Since I have never done it it with WebRTC (only Zoipper) I wanted to get it done correctly the first time. I will ask him about instructions for the beta so I can install that on a VM myself.
jerryriggin
 
Posts: 21
Joined: Sun Oct 30, 2011 10:45 pm

Re: 3-Factor Authentication and Vicidial WebPhone

Postby jerryriggin » Tue May 02, 2017 6:33 pm

Here is the code so far. This performs the 3-factor authentication by sending a 4-digit code to the phone in custom_one of the vicidial_users record. It is configured for https://www.twilio.com/try-twilio SMS, so you need a free account there to test this. The Twilio classes are expected to be in document_root/sms. To keep it clean, there is zero formatting, CSS, etc. I also tried to make it very readable with no PHP shorthand.

Here is the include file: wan-login-include.php
Code: Select all
<?php
if (!($_SESSION["SSID"])) {
   session_start();
   $_SESSION["SSID"]=session_id();
}
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
// MySQL Server:
$dbIP="127.0.0.1";
$dbUN="cron";
$dbPW="1234";
$dbDB="asterisk";
// Twilio account:
$sid = "AC52284e2************0c26f7d29a45a";
$token = "b120ced************59b54cc1e93a";
function logit($msg) {
      $logdate=date('Y-m-d');
      $log='/srv/www/htdocs/logs/wan-login_' . $logdate . '.log';
      $dt=date('Y-m-d H:i:s');
      $f=fopen($log, 'a');
      fwrite($f,"$dt\t$msg\n");
      fclose($f);
}

?>


This is the initial login page: wan-login.php
Code: Select all
<?php
include "wan-login-include.php";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>3-Factor Wan Login</title>
</head>
<body>
<form action="wan-login-validateLogin.php" method="post">
User Login: <input type="text" maxlength="30" size="20" name="unm"></div>
User Password: <input type="password" maxlength="30" size="20" name="pwd"></div>
<?php
$sid=$_SESSION["SSID"];
$inv=$_SESSION["inv"];
// the $_SESSION["inv"] keeps track of re-attempts
if ($inv==1) {
   echo '<B>Invalid Username or Password</B><BR>';
}
?>
<input type="submit" class="submit button" value="Submit">
</body>
</html>


This code checks the UN/PW and if valid, calls a function that sends the SMS: wan-login-validateLogin.php
Code: Select all
<?php
include "wan-login-include.php";
$mysqli = new mysqli($dbIP, $dbUN, $dbPW, $dbDB);
// test if session un/pw are set from a failed OTC attempt
if (isset($_SESSION["unm"])) {
   $unm=$_SESSION["unm"];
} else {
   $unm=$mysqli->real_escape_string($_REQUEST["unm"]);
}
if (isset($_SESSION["pwd"])) {
   $pwd=$_SESSION["pwd"];
} else {
   $pwd=$mysqli->real_escape_string($_REQUEST["pwd"]);
}
$qry="select user_id from vicidial_users where user='$unm' and pass='$pwd'";
$res = $mysqli->query($qry);
if (!$res) {
    die('Query failed: ' . $mysqli->error . '<br/>');
}
$row = $res->fetch_row();
$uid=$row[0];
$nr=$res->num_rows;

if ($res->num_rows==1) {
   $uid=$row[0];
   $_SESSION["inv"]=0;
   $_SESSION["pwd"]=$pwd;
   $_SESSION["unm"]=$unm;
   $_SESSION["uid"]=$uid;
   $ssid=$_SESSION["SSID"];
   $otc=getOTC($uid);
   logit("validateLogin: OTC $otc for $uid @ session $ssid");
   $_SESSION["otc"]=$otc;
   header("Location: wan-loginOTC.php");
   
   die("UNAUTHORIZED");
} else {
   $_SESSION["inv"]=1;
   header("Location: wan-login.php");
   die("UNAUTHORIZED");
}
exit();

function getOTC($uid) {
       $url="https://127.0.0.1/wan-login-sendOTC.php";
      $curlSession = curl_init();
      curl_setopt($curlSession, CURLOPT_URL, $url);
      curl_setopt($curlSession, CURLOPT_HEADER, FALSE);
      curl_setopt($curlSession, CURLOPT_POST, TRUE);
      curl_setopt($curlSession, CURLOPT_POSTFIELDS, "uid=$uid");
      curl_setopt($curlSession, CURLOPT_RETURNTRANSFER,TRUE);
      curl_setopt($curlSession, CURLOPT_TIMEOUT,5000);
      curl_setopt($curlSession, CURLOPT_SSL_VERIFYPEER, FALSE);
      curl_setopt($curlSession, CURLOPT_SSL_VERIFYHOST, FALSE);
      $response = curl_exec($curlSession);
   curl_close($curlSession);
   logit("wan-login-sendOTC: OTC=$response");
   return $response;
}

?>


This is the code called by the getOTC function: wan-login-sendOTC.php. Replace +17275551212 with your Tilio phone number. (The statusCallback object is not used here, but allows you to get responses from SMS.)
Code: Select all
<?php
include "wan-login-include.php";
require_once "sms/Twilio/autoload.php";
$client = new Twilio\Rest\Client($sid, $token);
$mysqli = new mysqli($dbIP, $dbUN, $dbPW, $dbDB);
$uid=$_REQUEST["uid"];
$ssid=session_id();
//$sid=$_SESSION["SSID"];
//echo "Session: $sid<br>UID: $uid<br>";
logit("wan-login-sendOTC:: $uid for session $ssid");
$query="select custom_one from vicidial_users where user_id=$uid;";
$res = $mysqli->query($query);
if (!$res) {
    logit('Query failed: ' . $mysqli->error );
}
$row = $res->fetch_row();
$sms_phone=$row[0];
$nr=$res->num_rows;
$otc=rand(1000,9999);
if ($res->num_rows==1) {
   try {
      $message = $client->messages->create(
        $sms_phone,
        array(
         'from' => '+17275551212',
         'body' => "Access Code: $otc",
         'statusCallback' => "http://requestb.in/1cnux861"
        )
      );
   } catch (Exception $e) {
      logit($e->getMessage());
   }
   $x=logit("$message\t$sms_phone\t$otc");
   //var_dump($message);
}
echo $otc;
exit();


This is the page where the user enters the SMS OTC: wan-loginOTC.php
Code: Select all
<?php
include "wan-login-include.php";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>3-Factor Wan Login</title>
</head>
<body>
<form action="wan-login-validateOTC.php" method="post">
<?php
$inv=$_SESSION["inv"];
$unm=$_SESSION["unm"];
$otc=$_SESSION["otc"];
if ($inv==2) {
   //user entered incorrect OTC
   $instruction='<B>IVALID ACCESS CODE! A new 4-digit code has been sent to your phone.<br>Enter it below and click Submit.</B><BR><BR>';
} else {
   $instruction='<B>A 4-digit code has been sent to your phone.<br>Enter it below and click Submit.</B><BR><BR>';
}
if (is_numeric($otc)) {
   echo $instruction;
   echo 'User Login: <input class="inputarea" type="text" maxlength="30" size="20" value=".' . $unm . '" name="unm"></div>';
   echo 'Access Code: <input class="inputarea"  type="text" maxlength="30" size="20" name="userotc"></div>';
   echo '<input type="submit" class="submit button" value="Submit">';
} else {
   echo '<B>You are not authorized for remote access.<br>Please contact your supervisor.</B><BR><BR>';
}
?>
</html>


The, finally, this code checks it and will (eventually) log the user into Vicidial, which should trigger loading ViciPhone: wan-login-validateOTC.php
Code: Select all
<?php
include "wan-login-include.php";
$mysqli = new mysqli($dbIP, $dbUN, $dbPW, $dbDB);
$unm=$_SESSION["unm"];
$pwd=$_SESSION["pwd"];
$uid=$_SESSION["uid"];
$userOTC=$_REQUEST["userotc"];
$otc=$_SESSION["otc"];

// test OTC
if ($otc==$userOTC) {
   logit("validateOTC: Valid OTC $otc for $uid @ session $ssid");
   // need best way to login user since we already have UN/PW
   header("Location: index.html");
} else {
   $_SESSION["inv"]=2;
   logit("validateOTC: Invalid OTC $otc for $uid @ session $ssid");
   header("Location: wan-loginOTC.php");
}
?>


Any comments, suggestion, criticisms, etc. greatly appreciated.

Oh, it also writes a log into a directory "logs" in htdocs.
jerryriggin
 
Posts: 21
Joined: Sun Oct 30, 2011 10:45 pm


Return to Development

Who is online

Users browsing this forum: No registered users and 1 guest