I wanted to make the access to my network easy but secure. Certificates are nice, but I still like username and password even more. You can use the following simple script to check for usernames/passwords.
Add this to the config on the server and set the right path for the script:
auth-user-pass-verify /path/to/your/script/verify.sh via-file
This line tells openvpn server to check for passed username and password by calling the script verify.sh and passing the username and password in a tmp file
Every client have to have this in its config file:
auth-user-pass
This just tells openvpn client to ask the user for username and password or s/he will not be able to log in. You can also use "--auth-user-pass" (instead of the line in the config file) on the command line.
This is a simple shell script called "verify.sh" which contains usernames and passwords in clear text. I wanted to encrypt passwords with "passwd", but command "passwd" is not available in dd-wrt (and I have no idea how dd-wrt encrypts root password for /etc/passwd). If someone knows how to encrypt passwords in dd-wrt, plese add it here.
[Edit by mrwizeman Aug 31 2009] Ok so I put it here... here is a way I came up with that make this work with an encrypted password, now, let me explain how it works, I hash the username and password and then add the hash to itself, and hash that 10 times everytime I add the hashes together, I got that idea from the author of the passwd we use Poul-Henning Kamp but he does it 1000 times...
You can easily change this script to hash it 1000 times, but I think 10 is enough it will take a bruteforce program forever to first hash the user and pass and then hash the hashes 10 times, just to find out if it matches, and besides the weak ass processor of the routers we use will take forever to check our credentials if we do it that way... so anyway here it is: you have to run it in telnet the first time to figure out what your hash is, then change that in your script, the hash in the script I paste here is user: test and pass: test
First the script to generate a hash for you:
#!/bin/sh genhash() { echo You are generating a HASH for user: $1 echo with the password : $2 HASHPASS=`echo -n $1$2 | md5sum | sed s'/\ -//'` i=0 while [ $i != 10 ]; do HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\ -//'` #echo [$i] HASHPASS=$HASHPASS i=`expr $i + 1` done echo HASHPASS=$HASHPASS } genhash $1 $2
Then the actual script for your check:
#!/bin/sh HASH='1bbd7254581aaab10868ccfdc0860d68' #echo HASH = $HASH #echo param 1 = $1 #echo param 2 = $2 vpn_verify() { if [[ ! $1 ]] || [[ ! $2 ]]; then #echo "No username or password: $*" exit 1 fi HASHPASS=`echo -n $1$2 | md5sum | sed s'/\ -//'` #echo HASHPASS = $HASHPASS #if [ $HASH == $HASHPASS ]; then # echo MATCH!! #else # echo NO MATCH!!! #fi i=0 while [ $i != 10 ]; do HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\ -//'` #echo [$i] HASHPASS=$HASHPASS i=`expr $i + 1` done #echo HASHPASS=$HASHPASS if [ $HASH == $HASHPASS ]; then #echo MATCH!! exit 0 else #echo NO MATCH!!! exit 1 fi } if [[ ! $1 ]] || [[ ! -e $1 ]]; then #echo "No file" exit 1 fi vpn_verify `cat $1` #echo "No user with this password found" exit 1
I suck at shellscripting, so if somone spots any errors or want to add support for multiple users that would be cool...
Original authors script below, the one without encrypted pass:
#!/bin/sh ## format: username:password username:password ... ## you can even have same usernames with different passwords USERS='user1:pass1 user2:pass2 user3:pass3' ## you could put username:password in ## a separate file and read it like this #USERS=`cat file_with_users` vpn_verify() { if [[ ! $1 ]] || [[ ! $2 ]]; then #echo "No username or password: $*" exit 1 fi ## it can also be done with grep or sed for i in $USERS; do if [[ "$i" == "$1:$2" ]]; then ## you can add here logging of users ## if you have enough space for log file #echo `date` $1:$2 >> your_log_file exit 0 fi done } if [[ ! $1 ]] || [[ ! -e $1 ]]; then #echo "No file" exit 1 fi ## $1 is file name which contains ## passed username and password vpn_verify `cat $1` #echo "No user with this password found" exit 1
You can delete all lines which begin with #. "echo" commands are here just for you to know what happens at that and they can be used for debugging.
This verification with the script does not work if openvpn is running in "daemon" mode. I have no idea what is the reason for that, probably some wrong interpretation of the output ("exit 0" means user/pass OK, everything else means user/pass NOT OK). Thats why I am running openvpn server as a background process and all output is going to /dev/null:
openvpn --config openvpn.conf >/dev/null 2>&1 &
--Comma 23:53, 11 August 2008 (CEST)
I was getting the error
openvpn_execve: external program may not be called due to setting of --script-security level
I had to add the following lines to my config file work in v24-SP2
tmp-dir /tmp/openvpn script-security 3
Additionally, the ">/dev/null 2>&1 &" hack wouldn't work but running from the command line did. I resorted to using the /tmp/myvpn symlink as well as --daemon in the command line. All works now with out an interactive shell. --JoeM 23:28, 22 October 2008 (CEST)
|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )
GMT+8, 2024-5-20 15:48 , Processed in 0.042624 second(s), 6 queries , Gzip On, Redis On.
Powered by Discuz! X3.5 Licensed
© 2001-2023 Discuz! Team.