[Frage] How to remotely disable AVM's security feature "confirmation of settings"

frater

Mitglied
Mitglied seit
23 Nov 2008
Beiträge
455
Punkte für Reaktionen
3
Punkte
18
I have upgraded about 12 7490's to 6.83 remotely.
The 6.83 firmware I used myself and turned out to be stable.

It was however a mistake...
It turned out that AVM changed their policy regarding passwords of the internal VoIP-accounts.
I publicly admit here that I was using quite short credentials for these internal accounts.

Still, I don't think it's AVM's place to correct me in a way that now has all those VoIP-accounts disabled.

I wouldn't write this post if it weren't for another thing.
Of course I don't like to admit that I am using weak credentials, but AVM has changed another thing.
I can't even correct my "mistake" as the upgrade of these routers introduced another one of their security features.

I can't change any system settings as an admin without physical access to the Fritzbox.
This means I need to go there and press a key on the box (or let someone do that for me).
This feature itself can be turned off, but of course that also needs to be confirmed by pressing a key on the box. Catch-22

I would think having SSH root access could make it possible to change that setting, but I couldn't find any info regarding that. Hopefully someone has the answer to this so I can correct these settings during this weekend and it will all be working on Monday morning.

Another option would be to downgrade the firmware, make the necessary settings and then upgrade.
I would rather not do that. Downgrades are always risky.
Such operations quite often result in a situation where the router would lose all its settings making a trip to the client mandatory.
I am already glad that after upgrading all these routers retained access.
I did have one box that lost all the forwardings to 1 device (not all). Luckily my monitoring software immediately detected this and I was able to correct this before it became a problem.
 
Zuletzt bearbeitet:
Look for a "two_factor_auth_enabled" setting in the "boxusers" section of "ar7.cfg" (it was mentioned somewhere else and any times ago, but searches are much harder meanwhile).

If you change this setting, while "ctlmgr" was stopped (it has to be stopped only during installation of changed content), and you restart "ctlmgr" afterwards, this function is disabled. As the name supposed, "no" means it's "off".

You can create your own shell script to run the needed commands:
  • copy/change the original content into a temporary file
  • stop "ctlmgr"
  • copy the temporary file back to "/var/flash" and
  • restart "ctlmgr"
as I did it for my systems (but it's really simple and that means, it's too simple to share it here).

And if you want to reactivate this - useful - protection level after your own changes, you should create an own script, which uses a parameter on each call to decide, whether to switch 2FA on or off.

I would not use a "flip-switch solution" here (switch it to the other state on each call), because a setting regarding the security of a device should always be in a known (and wanted) state.
 
  • Like
Reaktionen: frater
@PeterPawn You are a life saver....

I was just able to change the settings.
For me there is no need to script this. As long as I have terminal acces I know how to circumvent the problem.

That's why I did this:
  • Stop ctlmgr ( /usr/bin/ctlmgr -s )
  • nvi /var/flash/ar7.cfg (edit the setting)
  • Start ctlmgr ( /usr/bin/ctlmgr )
  • Login to AVM's webinterface and change the necessary settings.
  • Turn on the security setting ( System -> Fritz!Box Users -> Login to the Home Network -> Click checbox
Many thanks....
 
@PeterPawn....

I just finished the reconfiguration of 5 7490's.
All these were flashed with exactly the same file.
To my surprise 2 of them didn't disapprove the 3-digit VoIP-credentials.
I therefore didn't need to reconfigure those (I need to reconfigure the phones as well, so that saved me a lot of time).

Do you know which flag is controlling this enhanced security?

The reason why I flashed all these 7490's is that I want them all on the same version.

I came from 6.80 on the FB's where the weak credentials are still allowed.
Coming from 6.31 or 6.52 will force the enhanced security....
 
Afaik, these additional requirements were enforced step by step ... the first change regarded the length of a password and the second enforced a longer (and not as easy as "620" guessable) user name for a SIP client.

Maybe the combination of these tests leads to different results ... meanwhile the configuration files contain "version information" for many parts in different places and I would think, that older settings will be updated on first run with a new firmware, with dependence on the previous and current (configuration) version.

I don't know it really, what AVM did/does here ... but I would (personally) not implement a "step by step" change for a setting, if more than one version and its changes has to be taken into account.
 
Holen Sie sich 3CX - völlig kostenlos!
Verbinden Sie Ihr Team und Ihre Kunden Telefonie Livechat Videokonferenzen

Gehostet oder selbst-verwaltet. Für bis zu 10 Nutzer dauerhaft kostenlos. Keine Kreditkartendetails erforderlich. Ohne Risiko testen.

3CX
Für diese E-Mail-Adresse besteht bereits ein 3CX-Konto. Sie werden zum Kundenportal weitergeleitet, wo Sie sich anmelden oder Ihr Passwort zurücksetzen können, falls Sie dieses vergessen haben.