Asterisk config manager.conf

Configuration of the Asterisk manager API.

Note that activating the manager API opens a TCP port. Make sure you know what you are doing. Maybe it’s enough to just activate this for the local loopback interface, 127.0.0.1. However, by using AstManProxy communication can be secured using SSL/HTTPS, and there is also AMI SSL/TLS support in Asterisk 1.6.

New: Asterisk 1.4 introduces AMI-over-http as an alternative approach, using the internal Asterisk http server (see AJAM).
New: Asterisk 1.8 introduces the ‘originate’ flag

Note: “portno” has changed to “port” (at least as of Asterisk 1.2.4). So if one doesn’t work try the other. Simply reloading asterisk will not enable the manager. You must shut down asterisk and restart. To test just telnet to port 5038 on the asterisk box. If bindaddr = 0.0.0.0 then the manager will bind to ALL Ip’s on the server.

Reference doc/manager_1_1.txt in the asterisk source code for more, and up-to-date, documentation.

Example

  ;
  ; Asterisk Call Management support
  ;
  [general]
  enabled = yes
  port = 5038 
  bindaddr = 0.0.0.0
  webenabled = no

  ; Each user has a section labeled with the username
  ; so this is the section for the user named "mark"
  [mark]
  secret = mysecret
  deny=0.0.0.0/0.0.0.0
  permit=209.16.236.73/255.255.255.0
  permit=127.0.0.1/255.255.255.0
  read = system,call,log,verbose,command,agent,user,originate
  write = system,call,log,verbose,command,agent,user,originate

Security tips

• No encryption is used, even the password is sent in plaintext. Notes: However you can use md5 challange-and-reply for a slightly safer means to transmit the password; Asterisk 1.4 will come with SSL encryption)
• Don’t enable it on a public IP.
• Use http://www.stunnel.org/ or a SSH tunnel
• Watch out with management programs with direct interface to the manager.
• Limit the privileges per user (especially the system!)

Questions

Anyone able to explain the exact meaning of each these entires?

system,call,log,verbose,command,agent,user,originate

Answer

All manager API commands registered by varoius asterisk modules have a privilege group associated to it. In order for a manager API user to be able to issue a command, it has to have read or write privilege to the appropriate group. Following is a list of commands groupped by privilege groups as of Asterisk 1.2.7.1:

• system: DBGet, DBPut, SIPpeers, SIPshowpeer
• call: Hangup, Status, Setvar, Getvar, Redirect, Originate, ExtensionState, AbsoluteTimeout, MailboxStatus, MailboxCount, SetCDRUserField, Monitor, StopMonitor, ChangeMonitor
• log: * couldn’t find any *
• verbose: * couldn’t find any *
• command: Command
• Agent: Agents,AgentLogoff,AgentCallbackLogin, QueueAdd, QueueRemove, QueuePause
• User: in ‘deviceanduser’ amportal.conf mode, shows when an user logon and logoff on device
• originate: Originate a call
• None (commands that can be issued without explicit privileges associated): Ping, Events, Logoff, ListCommands, ZapTransfer, ZapHangup, ZapDialOffhook, ZapDNDon, ZapDNDoff, ZapShowChannels, IAXpeers, IAXnetstat, Queues, QueueStat, ParkedCalls

See also

• Asterisk manager API
• Asterisk config files
• German Description / Deutsche Beschreibung

---

Go back to Asterisk