mrwizeman DD-WRT Novice
Joined: 01 Sep 2009 Posts: 1
|
Posted: Tue Sep 01, 2009 6:47 Post subject: HOWTO: Encrypt passwords for OpenVPN user-auth-pass option. |
|
Yeah... I dont know if this belongs here, but I know I came to the forum and searched like crazy for a way to store passwords and usernames encrypted when using the user-auth-pass option in OpenVPN, so anyway I figured out a way to do it, here are my scripts for it, hopefully it will be helpful to someone else:
The script to generate the hash:
Code: | #GenHash.sh by MrWizeman 2009
#!/bin/sh
genhash() {
echo You are generating a HASH for user: $1
echo with the password : $2
HASHPASS=`echo -n $1$2 | md5sum | sed s'/\ -//'`
i=0
while [ $i != 10 ]; do
HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\ -//'`
#echo [$i] HASHPASS=$HASHPASS
i=`expr $i + 1`
done
echo HASHPASS=$HASHPASS
}
genhash $1 $2 |
And here is the actual script openvpn will call to authenticate a user: (I pasted this in the web interface and placed this line in my openvpn server config: auth-user-pass-verify /tmp/custom.sh via-file
but I guess you could rename it to whatever...)
The hash in the script below is for user: test and pass: test
Code: | #Custom.sh by MrWizeman 2009
#!/bin/sh
HASH='1bbd7254581aaab10868ccfdc0860d68'
#echo HASH = $HASH
#echo param 1 = $1
#echo param 2 = $2
vpn_verify() {
if [[ ! $1 ]] || [[ ! $2 ]]; then
#echo "No username or password: $*"
exit 1
fi
HASHPASS=`echo -n $1$2 | md5sum | sed s'/\ -//'`
#echo HASHPASS = $HASHPASS
#if [ $HASH == $HASHPASS ]; then
# echo MATCH!!
#else
# echo NO MATCH!!!
#fi
i=0
while [ $i != 10 ]; do
HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\ -//'`
#echo [$i] HASHPASS=$HASHPASS
i=`expr $i + 1`
done
#echo HASHPASS=$HASHPASS
if [ $HASH == $HASHPASS ]; then
#echo MATCH!!
exit 0
else
#echo NO MATCH!!!
exit 1
fi
}
if [[ ! $1 ]] || [[ ! -e $1 ]]; then
#echo "No file"
exit 1
fi
vpn_verify `cat $1`
#echo "No user with this password found"
exit 1 |
If you need an explaination of where to put the scripts and how they work in more detail go read my notes about this in the WIKI http://www.dd-wrt.com/wiki/index.php/OpenVPN#Additional_Server_Protection_with_usernames_and_passwords
In short I hash the username and password and then add the hash to itself, and do that 10 times over, I got that idea from the author of the passwd we use Poul-Henning Kamp but he does it 1000 times...
You can easily change this script to hash it 1000 times, but I think 10 is enough it will take a bruteforce program forever to first hash the user and pass and then hash the hashes 10 times, just to find out if it matches, and besides the weak ass processor of the routers we use will take forever to check our credentials if we do it that way... so anyway here it is: you have to run it in telnet the first time to figure out what your hash is, then change that in your script.
Good Luck, and if someone here that doesnt suck as bad as I do at shellscripting can add multi user functionality to the script feel free to post! I only added the ability to check a single users pass with the above script... |
|