You can significantly reduce the potential for high fraudulent long distance charges by requiring a password be entered before the call is allowed. But why use a password when you can use a one time password (OTP) which changes every 30 seconds. All you need is for your users to have an ios or android, tablet or phone and the following changes on your asterisk machine!
The following code can be downloaded from https://sourceforge.net/projects/asterisk-otp-in-python/files
The steps are:
1. As root copy code shown below to create python program otpcode.py which will calculate one time passwords given a secret base32 password seed.
2. As root copy code shown below to create python program getotp.py which will act as a simple interface between asterisk and the otpcode program
3. As root copy code shown below to create get_base32_pwd which will generate base32 passwords to use. This secret base32 password will be stored on the asterisk machine and in your phone in step 5.
4. Add to your asterisk extensions a few lines of code to verify the OTP entered by the caller matches the OTP calculated by the python program
5. Install on your phone freeotp, an open source program that will calculate the OTP you will need to send to the asterisk machine.
1. using vi editor create new file by copying and pasting following code:
cd /etc/asterisk
vi /etc/asterisk/otpcode.py
i
#Portions Copyright (c) 2013, Twilio, Inc. from the site https://github.com/jpf/Twilio-TFA
# Based on the pyotp: https://github.com/nathforge/pyotp
#
#Portions Copyright (C) 2011 by Mark Percival <[email protected]>
#
#Python port copyright 2011 by Nathan Reynolds <[email protected]>
#
#Permission is hereby granted, free of charge, to any person obtaining a copy
#of this software and associated documentation files (the "Software"), to deal
#in the Software without restriction, including without limitation the rights
#to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
#copies of the Software, and to permit persons to whom the Software is
#furnished to do so, subject to the following conditions:
#
#The above copyright notice and this permission notice shall be included in
#all copies or substantial portions of the Software.
#
#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
#IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
#FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
#AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
#LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
#OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
#THE SOFTWARE.
import base64
import hashlib
import hmac
import datetime
import time
import sys
import random as _random
class ASECRET(object):
def __init__(self, length=16):
self.length = length
def random_base32(self, length=16, random=_random.SystemRandom(),
chars=list('ABCDEFGHIJKLMNOPQRSTUVWXYZ234567')):
return ''.join(
random.choice(chars)
for _ in range(length)
)
class OTP(object):
def __init__(self, secret, digits=6):
self.secret = secret
def int_to_bytestring(self, int, padding=8):
"""
Turns an integer to the OATH specified
bytestring, which is fed to the HMAC
along with the secret
"""
result = []
while int != 0:
result.append(chr(int & 0xFF))
int = int >> 8
return ''.join(reversed(result)).rjust(padding, '\0')
def generate_otp(self, input):
"""
@param [Integer] input the number used seed the HMAC
Usually either the counter, or the computed integer
based on the Unix timestamp
"""
hmac_hash = hmac.new(
base64.b32decode(self.secret, casefold=True),
self.int_to_bytestring(input),
hashlib.sha1,
).digest()
offset = ord(hmac_hash[19]) & 0xf
code = ((ord(hmac_hash[offset]) & 0x7f) << 24 |
(ord(hmac_hash[offset + 1]) & 0xff) << 16 |
(ord(hmac_hash[offset + 2]) & 0xff) << 8 |
(ord(hmac_hash[offset + 3]) & 0xff))
# '6' is number of integers in the OTP
return code % 10 ** 6
class TOTP(OTP):
def __init__(self, *args, **kwargs):
"""
@Option options [Integer] internval (30) the interval in seconds
This defaults to 30 which is standard.
"""
self.interval = kwargs.pop('interval', 30)
super(TOTP, self).__init__(*args, **kwargs)
def timecode(self, for_time):
i = time.mktime(for_time.timetuple())
return int(i / self.interval)
def now(self):
"""
Generate the current time OTP
@return [Integer] the OTP as an integer
"""
return self.generate_otp(self.timecode(datetime.datetime.now()))
def at(self, date):
"""
Generate the current time OTP
@return [Integer] the OTP as an integer
"""
return self.generate_otp(self.timecode(date))
if __name__ == "__main__":
secret = "AAAAAAAAAAAAAAAA"
unixtime = 0
if len(sys.argv) > 1:
unixtime = int(sys.argv[1])
if unixtime > 1:
date = datetime.datetime.fromtimestamp(unixtime)
else:
date = datetime.datetime.now()
secret = ASECRET().random_base32()
print secret
totp = TOTP(secret)
print "TOTP token for secret '%s' at '%s' is: %s" % (
secret, date, totp.at(date))
press Esc key
press enter then type
:w press enter
:1 press enter then press
dd
:wq! press enter
at the bash prompt type
chmod 755 /etc/asterisk/otpcode.py
chown asterisk.asterisk otpcode.py
echo Step 2. As root use vi editor to add code for file to interface with asterisk
cd /etc/asterisk
vi getotp.py
i
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__author__ = 'dadinVa'
import sys
import datetime
from otpcode import *
def log(msg):
open('/tmp/getotp.log','ab+',1512).write(
"%s: %s\n"%(datetime.datetime.now(),msg)
)
totalargs = len(sys.argv)
otpoffset = "none"
if totalargs > 1:
otppassword = sys.argv[1]
log(sys.argv[1])
# I could not get args passed in from asterisk to work correctly so this is the fix
if "," in otppassword:
otpoffset = otppassword.split(',')[1]
log("otpoffsetis ")
log(otpoffset)
otppassword = otppassword.split(',')[0].rstrip('\n')
log("otppassword ")
log(otppassword)
#End of fix I could not get args passd in from asterisk to work correctly
if totalargs <2 or otppassword == "help":
print "for a one time password the syntax is:"
print "./getotp.py a_secret_base32_password timeoffset(optional)"
print " examples are:"
print "./getotp.py \"GEZDGNBVGY3TQOJQ\""
print "./getotp.py GEZDGNBVGY3TQOJQ"
print "./getotp.py \"GEZDGNBVGY3TQOJQ\" -30"
print "./getotp.py \"GEZDGNBVGY3TQOJQ, -30\""
print "Do not use GEZDGNBVGY3TQOJQ as your base password instead "
print "for a new secret password enter ./getotp.py new_password"
sys.exit(200)
if otppassword == "new_password":
print ("%s" % str(ASECRET().random_base32()))
sys.exit(0)
timeoffset = 0
if totalargs >2:
timeoffset = int(sys.argv[2])
if otpoffset <> "none":
timeoffset = int(otpoffset)
log("time out is ")
log(str(timeoffset))
for_time = datetime.datetime.now() + datetime.timedelta(0,timeoffset)
print "%s" % TOTP(otppassword).at(for_time)
sys.exit(0)
(Press escape)
(then delete the top blank line by entering)
:1
dd
:wq!
at the bash prompt paste or type the following:
chmod 755 getotp.py
chown asterisk.asterisk getotp.py
echo The following are tests
./getotp.py MXVJEWUQGK3RKGMO
./getotp.py MXVJEWUQGK3RKGMO -60
./getotp.py "MXVJEWUQGK3RKGMO,-60"
./getotp.py new_password
the Asterisk portion will be covered in the reply section
The following code can be downloaded from https://sourceforge.net/projects/asterisk-otp-in-python/files
The steps are:
1. As root copy code shown below to create python program otpcode.py which will calculate one time passwords given a secret base32 password seed.
2. As root copy code shown below to create python program getotp.py which will act as a simple interface between asterisk and the otpcode program
3. As root copy code shown below to create get_base32_pwd which will generate base32 passwords to use. This secret base32 password will be stored on the asterisk machine and in your phone in step 5.
4. Add to your asterisk extensions a few lines of code to verify the OTP entered by the caller matches the OTP calculated by the python program
5. Install on your phone freeotp, an open source program that will calculate the OTP you will need to send to the asterisk machine.
1. using vi editor create new file by copying and pasting following code:
cd /etc/asterisk
vi /etc/asterisk/otpcode.py
i
#Portions Copyright (c) 2013, Twilio, Inc. from the site https://github.com/jpf/Twilio-TFA
# Based on the pyotp: https://github.com/nathforge/pyotp
#
#Portions Copyright (C) 2011 by Mark Percival <[email protected]>
#
#Python port copyright 2011 by Nathan Reynolds <[email protected]>
#
#Permission is hereby granted, free of charge, to any person obtaining a copy
#of this software and associated documentation files (the "Software"), to deal
#in the Software without restriction, including without limitation the rights
#to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
#copies of the Software, and to permit persons to whom the Software is
#furnished to do so, subject to the following conditions:
#
#The above copyright notice and this permission notice shall be included in
#all copies or substantial portions of the Software.
#
#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
#IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
#FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
#AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
#LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
#OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
#THE SOFTWARE.
import base64
import hashlib
import hmac
import datetime
import time
import sys
import random as _random
class ASECRET(object):
def __init__(self, length=16):
self.length = length
def random_base32(self, length=16, random=_random.SystemRandom(),
chars=list('ABCDEFGHIJKLMNOPQRSTUVWXYZ234567')):
return ''.join(
random.choice(chars)
for _ in range(length)
)
class OTP(object):
def __init__(self, secret, digits=6):
self.secret = secret
def int_to_bytestring(self, int, padding=8):
"""
Turns an integer to the OATH specified
bytestring, which is fed to the HMAC
along with the secret
"""
result = []
while int != 0:
result.append(chr(int & 0xFF))
int = int >> 8
return ''.join(reversed(result)).rjust(padding, '\0')
def generate_otp(self, input):
"""
@param [Integer] input the number used seed the HMAC
Usually either the counter, or the computed integer
based on the Unix timestamp
"""
hmac_hash = hmac.new(
base64.b32decode(self.secret, casefold=True),
self.int_to_bytestring(input),
hashlib.sha1,
).digest()
offset = ord(hmac_hash[19]) & 0xf
code = ((ord(hmac_hash[offset]) & 0x7f) << 24 |
(ord(hmac_hash[offset + 1]) & 0xff) << 16 |
(ord(hmac_hash[offset + 2]) & 0xff) << 8 |
(ord(hmac_hash[offset + 3]) & 0xff))
# '6' is number of integers in the OTP
return code % 10 ** 6
class TOTP(OTP):
def __init__(self, *args, **kwargs):
"""
@Option options [Integer] internval (30) the interval in seconds
This defaults to 30 which is standard.
"""
self.interval = kwargs.pop('interval', 30)
super(TOTP, self).__init__(*args, **kwargs)
def timecode(self, for_time):
i = time.mktime(for_time.timetuple())
return int(i / self.interval)
def now(self):
"""
Generate the current time OTP
@return [Integer] the OTP as an integer
"""
return self.generate_otp(self.timecode(datetime.datetime.now()))
def at(self, date):
"""
Generate the current time OTP
@return [Integer] the OTP as an integer
"""
return self.generate_otp(self.timecode(date))
if __name__ == "__main__":
secret = "AAAAAAAAAAAAAAAA"
unixtime = 0
if len(sys.argv) > 1:
unixtime = int(sys.argv[1])
if unixtime > 1:
date = datetime.datetime.fromtimestamp(unixtime)
else:
date = datetime.datetime.now()
secret = ASECRET().random_base32()
print secret
totp = TOTP(secret)
print "TOTP token for secret '%s' at '%s' is: %s" % (
secret, date, totp.at(date))
press Esc key
press enter then type
:w press enter
:1 press enter then press
dd
:wq! press enter
at the bash prompt type
chmod 755 /etc/asterisk/otpcode.py
chown asterisk.asterisk otpcode.py
echo Step 2. As root use vi editor to add code for file to interface with asterisk
cd /etc/asterisk
vi getotp.py
i
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__author__ = 'dadinVa'
import sys
import datetime
from otpcode import *
def log(msg):
open('/tmp/getotp.log','ab+',1512).write(
"%s: %s\n"%(datetime.datetime.now(),msg)
)
totalargs = len(sys.argv)
otpoffset = "none"
if totalargs > 1:
otppassword = sys.argv[1]
log(sys.argv[1])
# I could not get args passed in from asterisk to work correctly so this is the fix
if "," in otppassword:
otpoffset = otppassword.split(',')[1]
log("otpoffsetis ")
log(otpoffset)
otppassword = otppassword.split(',')[0].rstrip('\n')
log("otppassword ")
log(otppassword)
#End of fix I could not get args passd in from asterisk to work correctly
if totalargs <2 or otppassword == "help":
print "for a one time password the syntax is:"
print "./getotp.py a_secret_base32_password timeoffset(optional)"
print " examples are:"
print "./getotp.py \"GEZDGNBVGY3TQOJQ\""
print "./getotp.py GEZDGNBVGY3TQOJQ"
print "./getotp.py \"GEZDGNBVGY3TQOJQ\" -30"
print "./getotp.py \"GEZDGNBVGY3TQOJQ, -30\""
print "Do not use GEZDGNBVGY3TQOJQ as your base password instead "
print "for a new secret password enter ./getotp.py new_password"
sys.exit(200)
if otppassword == "new_password":
print ("%s" % str(ASECRET().random_base32()))
sys.exit(0)
timeoffset = 0
if totalargs >2:
timeoffset = int(sys.argv[2])
if otpoffset <> "none":
timeoffset = int(otpoffset)
log("time out is ")
log(str(timeoffset))
for_time = datetime.datetime.now() + datetime.timedelta(0,timeoffset)
print "%s" % TOTP(otppassword).at(for_time)
sys.exit(0)
(Press escape)
(then delete the top blank line by entering)
:1
dd
:wq!
at the bash prompt paste or type the following:
chmod 755 getotp.py
chown asterisk.asterisk getotp.py
echo The following are tests
./getotp.py MXVJEWUQGK3RKGMO
./getotp.py MXVJEWUQGK3RKGMO -60
./getotp.py "MXVJEWUQGK3RKGMO,-60"
./getotp.py new_password
the Asterisk portion will be covered in the reply section
Last edited:
Phone System 