Posted: Wed Dec 30, 2009 4:34 Post subject: Automatically change Wireless Passphrase each day
The enclosed attachment is a script that submits itself as a cron job and then automatically changes the SSID passphrase of the first Virtual Wireless interface (WL0.1)at midnight each day.
The script automatically sets the passphrase to temp_DDDdd where DDD is the first three letters of the day reversed and dd is the day of the month reversed. Thus, on Monday 21-Jan the passphrase will be set to temp_nom12. The script can automatically be modified to change the format of the passphrase.
Code:
# set_passphrase.sh
#
# This DD-WRT script sets the first virtual wireless interface (wl0.1)
# passphrase at midnight every day. It will run on the hour and reset the
# passport if it is not correct, but under normal circumstances the passphrase
# will only be changed at midnight.
#
# The wireless passphrase will be set to "temp_DDDdd", where
# - DDD is the first three letters of the day in lowercase reverse order
# - dd is the numerical day of the month in reverse order. Single digit days
# of the month will have a 0 (zero) prefix.
# For example, Monday 10-Jan would equate to nom01
#
# This job will automatically add itself to cron if not already defined.
#
# This program requires a jffs partition which will need to me manually
# created if it does not already exist.
#
# This file should be copied to /jffs/set_passphrase.sh and have the
# execute bit set (chmod +x /jfss/set_passphrase.sh).
#
# The virtual wireless must be manually created from the WEB GUI.
# Wireless, Basic Settings, Virtual Interfaces.
# Click Add, set the SSID followed by Save and Apply Settings.
# Wireless, Wireless Security, Virtual Interfaces wl0.1 SSID.
# Set the Security Mode to "WPA2 Personal" and then set the initial
# "WPA Shared Key", Save, Apply Settings. This script will change
# the password.
#
# Note that a WPA2 Personal Passphrase must be at least 8 characters in length.
#
# By default, DD-WRT sets the “WPA Algorithm” to TKIP. If there is more than
# one wireless interface set with a “WPA Algorithm” of TKIP or TKIP+AES then
# wireless clients may experience intermittent connection problems. I would
# recommend that all wireless interfaces have their “WPA Algorithm”
# set to “AES”. This is done from the Wireless, Wireless Security Tab.
#
# This procedure supports only “WPA Personal” and “WPA2 Personal” security
# modes.
#
# After changing the passphrase it may take up to 20 seconds to restart the
# required nas daemon. If the wireless client has saved the passphrase then
# this will need to be removed before reconnecting. If it does not reconnect
# then try turning the wireless interface off and back on.
#
# A logfile containing actions taken by the script can be found at
# /tmp/set_passphrase.log
#
#-----------------------------------------------------------------------------
if [ "`nvram get wl0X1_security_mode`" = "psk" ]; then
security_mode=4
elif [ "`nvram get wl0X1_security_mode`" = "psk2" ]; then
security_mode=128
else
echo ERROR: this script requires that the Virtual Wireless Interface be set to \"WPA Personal\" or \"WPA2 Personal\"
exit
fi
if [ "`nvram get cron_enable`" -ne 1 ]; then
echo "Turning on cron"
nvram set cron_enable=1
nvram commit
stopservice cron && startservice cron
fi
if [ "`nvram get cron_jobs | grep -c set_passphrase`" -eq 0 ]; then
echo "Adding set_passphrase.sh to cron"
nvram set cron_jobs="0 0-23 * * * root /jffs/set_passphrase.sh >> /tmp/set_passphrase.log 2>&1"
nvram commit
stopservice cron && startservice cron
fi
if [ "`nvram get wl0_crypto | grep tkip`" != "" ] &&
[ "`nvram get wl0.1_crypto | grep tkip`" != "" ]; then
echo "WARNING: both wireless interfaces have a WPA Algorithm of TKIP."
echo " This can cause intermittent connection problems."
echo " Recommend that the WPA Algorithm be set to AES."
fi
wpa_algorithm=`nvram get wl0.1_crypto`
if [ "$wpa_algorithm" = "aes" ]; then
crypto=4
elif [ "$wpa_algorithm" = "tkip" ]; then
crypto=2
elif [ "$wpa_algorithm" = "tkip+aes" ]; then
crypto=6
else
echo "ERROR: Unknown WPA Algorithm"
exit
fi
#d=`date +%b%d | tr A-Z a-z` #MMMdd
d=`date +%a%d | tr A-Z a-z` #DDDdd
passphrase=temp_`echo $d | cut -c3``echo $d | cut -c2``echo $d | cut -c1``echo $d | cut -c5``echo $d | cut -c4`
if [ "`nvram get wl0.1_wpa_psk`" != $passphrase ]; then
nvram set wl0.1_wpa_psk=$passphrase
nvram commit
echo `date`: Setting `nvram get wl0.1_ssid` passphrase to `nvram get wl0.1_wpa_psk`
kill -9 $( cat /tmp/nas.wl0.1lan.pid )
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br0 \
-i wl0.1 –A \
-m $security_mode \
-k "`nvram get wl0.1_wpa_psk`" \
-s "`nvram get wl0.1_ssid`" \
-w $crypto \
-g "`nvram get wl0.1_wpa_gtk_rekey`"
echo
fi
Joined: 29 May 2008 Posts: 243 Location: United Kingdom
Posted: Tue Feb 09, 2010 16:38 Post subject:
This is a great idea but how would i do that every mounth? _________________ TP-Link TL-WDR3600 v1 [EU]: r36330 (07/16/18 )
D-Link DIR-615 D2 [EU]: r36330 (07/16/18 )
Mikrotik RB750r2 (OpenWrt 17.01.4)
EE BrightBox 1 aka A4001N (OpenWrt 17.01.4)
Sagemcom FAST@5364 (VDSL2,FTTC (Fibre to the Cabinet) Synced 65/17
I'm not familiar with the scripting, but is there a random function you can call for the password, and a way to have the finished, new passphrase sent/emailed to a user?
guycyr - you need to do a few things:
1. install a dd-wrt build with both jffs AND the openvpn client
2. follow the instructions in the script comments.
Everyone else: I modified this code so that it also renames the ssid. I removed the date reversing code because I don't care if it's easy to connect to, I just don't want people to cache the credentials and use it accidentally.
In case it will be useful to anyone, here it is:
Code:
# set_passphrase.sh
#
# This DD-WRT script sets the main wireless interface (wl0)
# ssid and passphrase at midnight every day. It will run on the hour and reset the
# passport if it is not correct, but under normal circumstances the passphrase
# will only be changed at midnight.
#
# The wireless passphrase will be set to "Temp_" + yymmdd, where
# - yy is the two digit year
# - mm is the two digit month number
# - dd is the two digit day
# For example, on Jan 10, 2009, the router would have a passphrase of Temp_090110 and
# an ssid of TempSSID_090110
#
# This job will automatically add itself to cron if not already defined.
#
# This program requires a jffs partition which will need to me manually
# created if it does not already exist.
#
# This file should be copied to /jffs/set_passphrase.sh and have the
# execute bit set (chmod +x /jfss/set_passphrase.sh).
#
#
# Note that a WPA2 Personal Passphrase must be at least 8 characters in length.
#
# This procedure supports only WPA Personal and WPA2 Personal security
# modes.
#
# After changing the passphrase it may take up to 20 seconds to restart the
# required nas daemon. If the wireless client has saved the passphrase then
# this will need to be removed before reconnecting. If it does not reconnect
# then try turning the wireless interface off and back on.
#
# A logfile containing actions taken by the script can be found at
# /tmp/set_passphrase.log
#
#-----------------------------------------------------------------------------
if [ "`nvram get wl0_security_mode`" = "psk" ]; then
security_mode=4
elif [ "`nvram get wl0_security_mode`" = "psk2" ]; then
security_mode=128
else
echo ERROR: this script requires that the Virtual Wireless Interface be set to \"WPA Personal\" or \"WPA2 Personal\"
exit
fi
if [ "`nvram get cron_enable`" -ne 1 ]; then
echo "Turning on cron"
nvram set cron_enable=1
nvram commit
stopservice cron && startservice cron
fi
if [ "`nvram get cron_jobs | grep -c set_passphrase`" -eq 0 ]; then
echo "Adding set_passphrase.sh to cron"
nvram set cron_jobs="0 0-23 * * * root /jffs/set_passphrase.sh >> /tmp/set_passphrase.log 2>&1"
nvram commit
stopservice cron && startservice cron
fi
if [ "`nvram get wl0_crypto | grep tkip`" != "" ] &&
[ "`nvram get wl0.1_crypto | grep tkip`" != "" ]; then
echo "WARNING: both wireless interfaces have a WPA Algorithm of TKIP."
echo " This can cause intermittent connection problems."
echo " Recommend that the WPA Algorithm be set to AES."
fi
wpa_algorithm=`nvram get wl0_crypto`
if [ "$wpa_algorithm" = "aes" ]; then
crypto=4
elif [ "$wpa_algorithm" = "tkip" ]; then
crypto=2
elif [ "$wpa_algorithm" = "tkip+aes" ]; then
crypto=6
else
echo "ERROR: Unknown WPA Algorithm"
exit
fi
if [ "`nvram get wl0_wpa_psk`" != $passphrase ]; then
nvram set wl0_wpa_psk=$passphrase
#nvram commit
nvram set wl0_ssid=$newssid
nvram commit
echo `date`: Setting `nvram get wl0_ssid` passphrase to `nvram get wl0_wpa_psk`
kill -9 $( cat /tmp/nas.wl0lan.pid )
nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 \
-i wl0 A \
-m $security_mode \
-k "`nvram get wl0_wpa_psk`" \
-s "`nvram get wl0_ssid`" \
-w $crypto \
-g "`nvram get wl0_wpa_gtk_rekey`"
echo
fi
Posted: Sat Dec 10, 2011 14:46 Post subject: Updated script?
Hi guys
Is there anybody with an updated script, because I'm not sure if it will work on newer versions since they renamed every Wifi-interface to "raX" where X is a number...?
I saw this post and though it was an awesome idea. I'm new to DD-WRT but love it and want to thank everyone who worked/works to create and maintain it.
I took kingsmill's original script and modified it as some of the commands didn't work on my version (i imagine it's because i'm on an atheros chipset, d-link dir-632).
I also modified it to pull the new PSK from a pre-generated list, that way i could sync the change with my other devices.
So here's the code ... please keep in mind that i am in no way a programmer and i'm new to bash scripting, also the following code works for me but doesn't mean there isn't a better way to do it.
Thanks
Code:
#!/bin/sh
# set_passphrase.sh
#
# This script runs everyhour and changes the PSK at 4 am EST by
# sequentially pulling a PSK from a pregenerated list defined below.
#
# If you would like to change the hour when the PSK changes,
# change the 8 in line 45 of the script. The 8 is the number of hours
# difference from UTC to EST plus 4 hours to make the change occur at 4 am.
#
# The PSK list should have one PSK per line and should avoid the
# following characters ' " `
#
# A logfile containing actions taken by the script can be found at
# /jffs/set_passphrase.log
#-----------------------------------------------------------------------------
#Define User Variables
#Set Location of Key list - List should have one key per line
pFile="/jffs/PSK.list"
#Number of lines/keys in list
nKeys=1000
#Set device id ie: ath0, ath0.1
wDev="ath0"
echo "$(date +%D" "%T) - Running $(basename $0)"
#Check if cron is enabled, if no enable it
if [ $(nvram get cron_enable) -ne 1 ]; then
echo "$(date +%D" "%T) - Turning on cron"
nvram set cron_enable=1
nvram commit
stopservice cron && startservice cron
fi
#Check if script is set as a cron job, if no add it
if [ $(nvram get cron_jobs | grep -c set_passphrase) -eq 0 ]; then
echo "$(date +%D" "%T) - Adding set_passphrase.sh to cron"
nvram set cron_jobs="0 0-23 * * * root /jffs/set_passphrase.sh >> /jffs/set_passphrase.log 2>&1"
nvram commit
stopservice cron && startservice cron
fi
#Pull PSK from PSK list based on day
i=$(( ($(date +%s)+(8*60*60))/(60*60*24) ))
while [ $i -gt $nKeys ]
do
i=$(( $i - $nKeys ))
done
PSKnew=$( sed -n "$i"p $pFile )
#Pull current PSK
PSKold=$( nvram get "$wDev"_wpa_psk )
#Check if PSK needs to be update, if not exit, else update new PSK and restart service
if [ $PSKnew = $PSKold ]; then
echo "$(date +%D" "%T) - PSK is correct ... Exiting"
exit
else
echo "$(date +%D" "%T) - is not correct ... updating"
SSID=$( nvram get "$wDev"_ssid )
PSKold=$( grep -A 15 $SSID /tmp/ath0_hostap.conf |grep wpa_passphrase= |cut -d'=' -f2- )
PSKold=$(echo $PSKold | sed 's_._[&]_g')
echo "$(date +%D" "%T) - Killing hostapd service."
kill $(cat /tmp/var/run/ath0_hostapd.pid)
echo "$(date +%D" "%T) - Updating PSK in hostap.conf"
sed -i 's_'"$PSKold"'_'"$PSKnew"'_g' /tmp/ath0_hostap.conf
nvram set "$wDev"_wpa_psk=$PSKnew
sleep 3
echo "$(date +%D" "%T) - Restarting hostapd service."
hostapd -B -P /tmp/var/run/ath0_hostapd.pid /tmp/ath0_hostap.conf
fi