TIPS Strange password behavior-is this normal?

[rchalk]

I have a very recent installation of Incredible (Asterisk 13.5.0) and experience an issue I have not seen before. I have a client who calls in frequently to retrieve voicemails, and if the voicemail password is set as the same as the extension number (I know-bad idea) the system asks for a password reset every time. If set to any other password, system delivers voicemail information normally.

I suspected this was a security measure, but it only seems to happen on one extension, while the other 30+ extensions do not act this way.

Anyone have any idea what is going on here? Thanks.

 

[geopeterwc]

It's not "strange" at all. This is normal behavior of voicemail when the password is set to the extension number. If you choose to pre-assign the password for users, why not use a password that's easy to remember, and a derivative of the extension number?

If my users want something simple to remember - but don't want to create one for themselves, I simply "double" the extension number in the GUI. For example, for extension 246, I assign the password as "246246". Simple, though doing this is barely more secure than using the extension number as password, or, maybe the default password could be the extension number "backwards", i.e., "642". Simple, and avoids the setup prompts entirely. It's always better for users to establish their own password, and for the password to be changed regularly.

In the GUI, check the other 30+ extensions to see if the passwords are set to match the extension number. My guess is that they are not - and as a result, those users won't get the mailbox setup prompts.

/Pete./

 

[dicko]

That behavior is controlled by the variables forcename and forcegreeting as set in voicemail.conf

http://www.asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/Voicemail_id263499.html

The defaults for both are "no"

 

[geopeterwc]

Thanks for the additional information @dicko.

I have not had a prior need to dig into the "advanced" options for voicemail where these settings are found. The defaults have been to be to me and my customers' liking. My response to @rchalk was based on those defaults. I see now that it is possible to control the options on a per-extension basis.

Could it be that the user that the OP had referenced had been trying to reset the password to the extension number in response to the prompt to set a new one? I just tested that possibility, and found that the system would accept a "changed" password the same as the original (extension) number, as it had been before.

So, the problem described by the OP may be a combination of the settings for the extension and the user resetting the password to the extension number again, rather than creating a unique one? It's interesting that, if the user's "name" has been previously recorded, the only prompt will be to enter a new password.

Also, if you set the "ForceName" setting in Advanced Settings for the extension, no prompt to change the password will be made. (This is under Voicemail Settings | the subject extension | Advanced Settings.)

Again, thanks for your insight and the new information!
/Pete./

 

[dicko]

From the app_voicemail.c file which effectively says that if the password is the same as the mailbox AND ( either forcename or forcegreeting are set), to enter the "new use setup" routine, both conditions need to be true.

/* Check to see if this is a new user */
if (!strcasecmp(vmu->mailbox, vmu->password) &&
(ast_test_flag(vmu, VM_FORCENAME | VM_FORCEGREET))) {
if (ast_play_and_wait(chan, vm_newuser) == -1)
ast_log(AST_LOG_WARNING, "Couldn't stream new user file\n");
cmd = vm_newuser_setup(chan, vmu, &vms, vmfmts, record_gain);
if ((cmd == 't') || (cmd == '#')) {
/* Timeout */
ast_test_suite_event_notify("TIMEOUT", "Message: response from user timed out");
res = 0;
goto out;
} else if (cmd < 0) {
/* Hangup */
ast_test_suite_event_notify("HANGUP", "Message: hangup detected");
res = -1;
goto out;
}
}


This check is always run whenever a user enters his mailbox