Solved

Change existing perl script/ or write new simple one.

Posted on 2009-07-14
8
498 Views
Last Modified: 2012-06-27
Hi All
I am using OpenVPN in username/pwd mode. In other words with no certifcates. Apart from the security risk that I know I am facing a problem.

The present existing perl script "displayed below" waits for the input to be sent from the client, after that it is suppsed to create a hashed version of the password and compare it to /etc/shadow or /etc/passwd I guess. I am not really sure. From the documentation it says it will check a file I create with user on a line and pwd on another line. Well, I could not get it to work and I am not really interested in using PAM.

In short, I need a perl script working similarly to the below in terms of waiting for input and presenting 0 for failure and 1 for success it should be able to do the following:

1- Parse/receive input arguments the same way the script below does.
2- Compare the username/pwd provided against a file where username + password pairs are one pair per line, example username:password
3- Return 1 for a match and 0 for  failure.

Thanks
#!/usr/bin/perl
 

# OpenVPN PAM AUTHENTICATON

#   This script can be used to add PAM-based authentication

#   to OpenVPN 2.0.  The OpenVPN client must provide

#   a username/password, using the --auth-user-pass directive.

#   The OpenVPN server should specify --auth-user-pass-verify

#   with this script as the argument and the 'via-file' method

#   specified.  The server can also optionally specify

#   --client-cert-not-required and/or --username-as-common-name.
 

# SCRIPT OPERATION

#   Return success or failure status based on whether or not a

#   given username/password authenticates using PAM.

#   Caller should write username/password as two lines in a file

#   which is passed to this script as a command line argument.
 

# CAVEATS

#   * Requires Authen::PAM module, which may also

#     require the pam-devel package.

#   * May need to be run as root in order to

#     access username/password file.
 

use Authen::PAM;

use POSIX;
 

# This "conversation function" will pass

# $password to PAM when it asks for it.
 

sub my_conv_func {

    my @res;

    while ( @_ ) {

        my $code = shift;

        my $msg = shift;

        my $ans = "";
 

        $ans = $password if $msg =~ /[Pp]assword/;
 

        push @res, (PAM_SUCCESS(),$ans);

    }

    push @res, PAM_SUCCESS();

    return @res;

}
 

# Identify service type to PAM

$service = "login";
 

# Get username/password from file
 

if ($ARG = shift @ARGV) {

    if (!open (UPFILE, "<$ARG")) {

        print "Could not open username/password file: $ARG\n";

use Authen::PAM;

use POSIX;
 

# This "conversation function" will pass

# $password to PAM when it asks for it.
 

sub my_conv_func {

    my @res;

    while ( @_ ) {

        my $code = shift;

        my $msg = shift;

        my $ans = "";
 

        $ans = $password if $msg =~ /[Pp]assword/;
 

        push @res, (PAM_SUCCESS(),$ans);

    }

    push @res, PAM_SUCCESS();

    return @res;

}
 

# Identify service type to PAM

$service = "login";
 

# Get username/password from file
 

if ($ARG = shift @ARGV) {

    if (!open (UPFILE, "<$ARG")) {

        print "Could not open username/password file: $ARG\n";

if (!$username || !$password) {

    print "Username/password not found in file: $ARG\n";

    exit 1;

}
 

chomp $username;

chomp $password;
 

close (UPFILE);
 

# Initialize PAM object
 

if (!ref($pamh = new Authen::PAM($service, $username, \&my_conv_func))) {

    print "Authen::PAM init failed\n";

    exit 1;

}
 

# Authenticate with PAM
 

$res = $pamh->pam_authenticate;
 

# Return success or failure
 

if ($res == PAM_SUCCESS()) {

    exit 1;

} else {

    print "Auth '$username' failed, PAM said: ", $pamh->pam_strerror($res), "\n";

    exit 0;

}

Open in new window

0
Comment
Question by:http:// thevpn.guru
  • 4
  • 4
8 Comments
 
LVL 39

Expert Comment

by:Adam314
ID: 24854253
Was there a copy/paste error in the script?  It doesn't look correct.
0
 
LVL 19

Author Comment

by:http:// thevpn.guru
ID: 24854464
0
 
LVL 39

Accepted Solution

by:
Adam314 earned 500 total points
ID: 24854509
Replace lines 66 - 77 with this:
my $Line = <UPFILE>;

chomp $Line;

if($Line !~ /^(.*?):(.*)$/) {

	print "Username/password not found in file: $ARG\n";

	exit 1;

}
 

my $username = $1;

my $password = $2;

Open in new window

0
 
LVL 19

Author Comment

by:http:// thevpn.guru
ID: 24854543
One thing to note here is that the username password is blank text in the file and sent over unhashed, while from what I understood from the file is that it uses pam to hash the passwords. Another thing here is that the scripts seems to use the login mechansim of linux to do something ..  I dont need that as well.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 39

Expert Comment

by:Adam314
ID: 24854584
The code snipped I gave will read a single line from a file.  If that line does not have the a username followed by a colon followed by a password, like "username:password", it will display a message and exit with 1.  If it does have that pattern, it'll save the username to the $username variable, and the password to the $password variable.

The script expects the name of the file to be supplied on the command line.  This was the way your original script works, and that was not changed.

If this wasn't what you wanted, I misunderstood your request.
0
 
LVL 19

Author Comment

by:http:// thevpn.guru
ID: 24872117
The thing I am concerned about is that the original script uses the login facilities of the linux system, I dont need those and  the script also uses pam authentication at:

#
if (!ref($pamh = new Authen::PAM($service, $username, \&my_conv_func))) {
#
    print "Authen::PAM init failed\n";
#
    exit 1;

This I dont need as well...I simply want a script to check the username and password against the text file in and take input and out put in the way the orignal script does without going into any other features.


Thanks for all of your help
0
 
LVL 19

Author Comment

by:http:// thevpn.guru
ID: 24872559
I did test the code with the changes you suggested and I got :

212.36.208.1:31055 Expected Remote Options hash (VER=V4): '41690919'
Thu Jul 16 12:03:20 2009 212.36.208.1:31055 TLS: Initial packet from 212.36.208.1:31055, sid=3ee922c5 118483e1
Username/password not found in file: ./newpassword
Thu Jul 16 12:03:24 2009 212.36.208.1:31055 TLS Auth Error: Auth Username/Password verification failed for peer
Thu Jul 16 12:03:24 2009 212.36.208.1:31055 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Thu Jul 16 12:03:24 2009 212.36.208.1:31055 [] Peer Connection Initiated with 212.36.208.1:31055
Thu Jul 16 12:03:25 2009 212.36.208.1:31055
0
 
LVL 39

Expert Comment

by:Adam314
ID: 24874594
>>I simply want a script to check the username and password against the text file in and take input and
>>out put in the way the orignal script does
The original script gets the username and password through PAM.  If you don't want to use PAM, but want to get them the same way, I'm not sure what you want.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Strings in Python are the set of characters that, once defined, cannot be changed by any other method like replace. Even if we use the replace method it still does not modify the original string that we use, but just copies the string and then modif…
When we want to run, execute or repeat a statement multiple times, a loop is necessary. This article covers the two types of loops in Python: the while loop and the for loop.
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now