Automatically change Wireless Passphrase each day

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Contributions Upload
Author Message
kingsmill
DD-WRT User


Joined: 20 May 2008
Posts: 79

PostPosted: Wed Dec 30, 2009 4:34    Post subject: Automatically change Wireless Passphrase each day Reply with quote
The enclosed attachment is a script that submits itself as a cron job and then automatically changes the SSID passphrase of the first Virtual Wireless interface (WL0.1)at midnight each day.

The script automatically sets the passphrase to temp_DDDdd where DDD is the first three letters of the day reversed and dd is the day of the month reversed. Thus, on Monday 21-Jan the passphrase will be set to temp_nom12. The script can automatically be modified to change the format of the passphrase.

Code:

# set_passphrase.sh
#
# This DD-WRT script sets the first virtual wireless interface (wl0.1)
# passphrase at midnight every day. It will run on the hour and reset the
# passport if it is not correct, but under normal circumstances the passphrase
# will only be changed at midnight.
#
# The wireless passphrase will be set to "temp_DDDdd", where
#   - DDD is the first three letters of the day in lowercase reverse order
#   - dd is the numerical day of the month in reverse order. Single digit days
#     of the month will have a 0 (zero) prefix.
#   For example, Monday 10-Jan would equate to nom01
#
# This job will automatically add itself to cron if not already defined.
#
# This program requires a jffs partition which will need to me manually
#   created if it does not already exist.
#
# This file should be copied to /jffs/set_passphrase.sh and have the
#   execute bit set (chmod +x /jfss/set_passphrase.sh).
#
# The virtual wireless must be manually created from the WEB GUI.
#     Wireless, Basic Settings, Virtual Interfaces.
#       Click Add, set the SSID followed by Save and Apply Settings.
#     Wireless, Wireless Security, Virtual Interfaces wl0.1 SSID.
#       Set the Security Mode to "WPA2 Personal" and then set the initial
#       "WPA Shared Key", Save, Apply Settings. This script will change
#       the password.
#
# Note that a WPA2 Personal Passphrase must be at least 8 characters in length.
#
# By default, DD-WRT sets the “WPA Algorithm” to TKIP. If there is more than
#   one wireless interface set with a “WPA Algorithm” of TKIP or TKIP+AES then
#   wireless clients may experience intermittent connection problems. I would
#   recommend that all wireless interfaces have their “WPA Algorithm”
#   set to “AES”. This is done from the Wireless, Wireless Security Tab.
#
# This procedure supports only “WPA Personal” and “WPA2 Personal” security
#   modes.
#
# After changing the passphrase it may take up to 20 seconds to restart the
# required nas daemon. If the wireless client has saved the passphrase then
# this will need to be removed before reconnecting. If it does not reconnect
# then try turning the wireless interface off and back on.
#
# A logfile containing actions taken by the script can be found at
# /tmp/set_passphrase.log
#
#-----------------------------------------------------------------------------

if [ "`nvram get wl0X1_security_mode`" = "psk" ]; then
     security_mode=4
elif [ "`nvram get wl0X1_security_mode`" = "psk2" ]; then
     security_mode=128
else
   echo ERROR: this script requires that the Virtual Wireless Interface be set to \"WPA Personal\" or \"WPA2 Personal\"
   exit
fi

if [ "`nvram get cron_enable`" -ne 1 ]; then
   echo "Turning on cron"
   nvram set cron_enable=1
   nvram commit
   stopservice cron && startservice cron
fi
if [ "`nvram get cron_jobs | grep -c set_passphrase`" -eq 0 ]; then
   echo "Adding set_passphrase.sh to cron"
   nvram set  cron_jobs="0 0-23 * * * root /jffs/set_passphrase.sh >> /tmp/set_passphrase.log  2>&1"
   nvram commit
   stopservice cron && startservice cron
fi

if [ "`nvram get wl0_crypto | grep tkip`" != "" ] &&
   [ "`nvram get wl0.1_crypto | grep tkip`" != "" ]; then
   echo "WARNING: both wireless interfaces have a WPA Algorithm of TKIP."
   echo "         This can cause intermittent connection problems."
   echo "         Recommend that the WPA Algorithm be set to AES."
fi

wpa_algorithm=`nvram get wl0.1_crypto`
if   [ "$wpa_algorithm" = "aes" ]; then
     crypto=4
elif [ "$wpa_algorithm" = "tkip" ]; then
     crypto=2
elif [ "$wpa_algorithm" = "tkip+aes" ]; then
     crypto=6
else
     echo "ERROR: Unknown WPA Algorithm"
     exit
fi

#d=`date +%b%d | tr A-Z a-z`    #MMMdd
d=`date +%a%d | tr A-Z a-z`     #DDDdd
passphrase=temp_`echo $d | cut -c3``echo $d | cut -c2``echo $d | cut -c1``echo $d | cut -c5``echo $d | cut -c4`
if [ "`nvram get wl0.1_wpa_psk`" != $passphrase ]; then
   nvram set wl0.1_wpa_psk=$passphrase
   nvram commit
   echo `date`: Setting `nvram get wl0.1_ssid` passphrase to `nvram get wl0.1_wpa_psk`
   kill -9 $( cat /tmp/nas.wl0.1lan.pid )
   nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br0 \
       -i wl0.1 –A                              \
       -m $security_mode                        \
       -k "`nvram get wl0.1_wpa_psk`"           \
       -s "`nvram get wl0.1_ssid`"              \
       -w $crypto                               \
       -g "`nvram get wl0.1_wpa_gtk_rekey`"
   echo
fi



Geoff..
Code:
Sponsor
liverpoolatnight
DD-WRT User


Joined: 29 May 2008
Posts: 174
Location: United Kingdom

PostPosted: Tue Feb 09, 2010 16:38    Post subject: Reply with quote
This is a great idea but how would i do that every mounth?
_________________
TP-Link TL-WDR3600v1 DD-WRT v24-sp2 (06/23/14) std (SVN revision 24461) Main AP
D-Link DIR-615 D2: DD-WRT v24-sp2 (04/18/14) std (SVN revision 23919) Second AP
ISP: Virgin Media, Cable/Fibre Optic, Upto 152Mb/12Mb
codigo
DD-WRT Novice


Joined: 03 Feb 2010
Posts: 8

PostPosted: Wed Feb 24, 2010 16:00    Post subject: Reply with quote
impressive how secure his this ... lol
goodlight
DD-WRT Novice


Joined: 20 Apr 2010
Posts: 1

PostPosted: Tue Apr 20, 2010 23:09    Post subject: Reply with quote
I'm not familiar with the scripting, but is there a random function you can call for the password, and a way to have the finished, new passphrase sent/emailed to a user?
guycyr
DD-WRT Novice


Joined: 21 Aug 2010
Posts: 17
Location: Quebec

PostPosted: Mon Aug 30, 2010 16:37    Post subject: Reply with quote
Hi this is what i seek for 4 week now.

Can you explain to me where i put this script into my router for save and execute automaticly each time i reboot my router.

Thanks a lots
ghunum
DD-WRT Novice


Joined: 07 Jul 2010
Posts: 17

PostPosted: Fri Sep 10, 2010 20:08    Post subject: Reply with quote
guycyr - you need to do a few things:
1. install a dd-wrt build with both jffs AND the openvpn client
2. follow the instructions in the script comments.

Everyone else: I modified this code so that it also renames the ssid. I removed the date reversing code because I don't care if it's easy to connect to, I just don't want people to cache the credentials and use it accidentally.

In case it will be useful to anyone, here it is:

Code:

# set_passphrase.sh
#
# This DD-WRT script sets the main wireless interface (wl0)
# ssid and passphrase at midnight every day. It will run on the hour and reset the
# passport if it is not correct, but under normal circumstances the passphrase
# will only be changed at midnight.
#
# The wireless passphrase will be set to "Temp_" + yymmdd, where
#   - yy is the two digit year
#   - mm is the two digit month number
#   - dd is the two digit day
#   For example, on Jan 10, 2009, the router would have a passphrase of Temp_090110 and
#   an ssid of TempSSID_090110
#
# This job will automatically add itself to cron if not already defined.
#
# This program requires a jffs partition which will need to me manually
#   created if it does not already exist.
#
# This file should be copied to /jffs/set_passphrase.sh and have the
#   execute bit set (chmod +x /jfss/set_passphrase.sh).
#
#
# Note that a WPA2 Personal Passphrase must be at least 8 characters in length.
#
# This procedure supports only WPA Personal and WPA2 Personal security
#   modes.
#
# After changing the passphrase it may take up to 20 seconds to restart the
# required nas daemon. If the wireless client has saved the passphrase then
# this will need to be removed before reconnecting. If it does not reconnect
# then try turning the wireless interface off and back on.
#
# A logfile containing actions taken by the script can be found at
# /tmp/set_passphrase.log
#
#-----------------------------------------------------------------------------

if [ "`nvram get wl0_security_mode`" = "psk" ]; then
     security_mode=4
elif [ "`nvram get wl0_security_mode`" = "psk2" ]; then
     security_mode=128
else
     echo ERROR: this script requires that the Virtual Wireless Interface be set to \"WPA Personal\" or \"WPA2 Personal\"
     exit
fi

if [ "`nvram get cron_enable`" -ne 1 ]; then
     echo "Turning on cron"
     nvram set cron_enable=1
     nvram commit
     stopservice cron && startservice cron
fi

if [ "`nvram get cron_jobs | grep -c set_passphrase`" -eq 0 ]; then
     echo "Adding set_passphrase.sh to cron"
     nvram set  cron_jobs="0 0-23 * * * root /jffs/set_passphrase.sh >> /tmp/set_passphrase.log  2>&1"
     nvram commit
     stopservice cron && startservice cron
fi

if [ "`nvram get wl0_crypto | grep tkip`" != "" ] &&
   [ "`nvram get wl0.1_crypto | grep tkip`" != "" ]; then
      echo "WARNING: both wireless interfaces have a WPA Algorithm of TKIP."
      echo "         This can cause intermittent connection problems."
      echo "         Recommend that the WPA Algorithm be set to AES."
fi

wpa_algorithm=`nvram get wl0_crypto`

if   [ "$wpa_algorithm" = "aes" ]; then
      crypto=4
elif [ "$wpa_algorithm" = "tkip" ]; then
      crypto=2
elif [ "$wpa_algorithm" = "tkip+aes" ]; then
      crypto=6
else
      echo "ERROR: Unknown WPA Algorithm"
      exit
fi

#d=`date +%b%d | tr A-Z a-z`    #MMMdd
#d=`date +%a%d | tr A-Z a-z`     #DDDdd
d=`date +%y%m%d | tr A-Z a-z`     #yymmdd

passphrase=Temp_`echo $d`
newssid=TempSSID_`echo $d`


if [ "`nvram get wl0_wpa_psk`" != $passphrase ]; then
      nvram set wl0_wpa_psk=$passphrase
      #nvram commit
      nvram set wl0_ssid=$newssid
      nvram commit
      echo `date`: Setting `nvram get wl0_ssid` passphrase to `nvram get wl0_wpa_psk`
      kill -9 $( cat /tmp/nas.wl0lan.pid )
      nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 \
           -i wl0 A                              \
           -m $security_mode                     \
           -k "`nvram get wl0_wpa_psk`"          \
           -s "`nvram get wl0_ssid`"             \
           -w $crypto                            \
           -g "`nvram get wl0_wpa_gtk_rekey`"
      echo
fi
hyper
DD-WRT Novice


Joined: 20 Aug 2006
Posts: 21

PostPosted: Sat Dec 10, 2011 14:46    Post subject: Updated script? Reply with quote
Hi guys

Is there anybody with an updated script, because I'm not sure if it will work on newer versions since they renamed every Wifi-interface to "raX" where X is a number...?
tsol.mi
DD-WRT Novice


Joined: 09 May 2012
Posts: 1

PostPosted: Wed May 09, 2012 2:15    Post subject: Reply with quote
Hey all,

I saw this post and though it was an awesome idea. I'm new to DD-WRT but love it and want to thank everyone who worked/works to create and maintain it.

I took kingsmill's original script and modified it as some of the commands didn't work on my version (i imagine it's because i'm on an atheros chipset, d-link dir-632).

I also modified it to pull the new PSK from a pre-generated list, that way i could sync the change with my other devices.

So here's the code ... please keep in mind that i am in no way a programmer and i'm new to bash scripting, also the following code works for me but doesn't mean there isn't a better way to do it.

Thanks

Code:

#!/bin/sh
# set_passphrase.sh
#
# This script runs everyhour and changes the PSK at 4 am EST by
# sequentially pulling a PSK from a pregenerated list defined below.
#
# If you would like to change the hour when the PSK changes,
# change the 8 in line 45 of the script. The 8 is the number of hours
# difference from UTC to EST plus 4 hours to make the change occur at 4 am.
#
# The PSK list should have one PSK per line and should avoid the
# following characters ' " `
#
# A logfile containing actions taken by the script can be found at
# /jffs/set_passphrase.log
#-----------------------------------------------------------------------------

#Define User Variables
#Set Location of Key list - List should have one key per line
   pFile="/jffs/PSK.list"   
#Number of lines/keys in list
   nKeys=1000
#Set device id ie: ath0, ath0.1
   wDev="ath0"   
   
echo "$(date +%D" "%T) - Running $(basename $0)"
   
#Check if cron is enabled, if no enable it
   if [ $(nvram get cron_enable) -ne 1 ]; then
      echo "$(date +%D" "%T) -   Turning on cron"
      nvram set cron_enable=1
      nvram commit
      stopservice cron && startservice cron
   fi

#Check if script is set as a cron job, if no add it
   if [ $(nvram get cron_jobs | grep -c set_passphrase) -eq 0 ]; then
      echo "$(date +%D" "%T) - Adding set_passphrase.sh to cron"
      nvram set cron_jobs="0 0-23 * * * root /jffs/set_passphrase.sh >> /jffs/set_passphrase.log  2>&1"
      nvram commit
      stopservice cron && startservice cron
   fi

#Pull PSK from PSK list based on day
   i=$(( ($(date +%s)+(8*60*60))/(60*60*24) ))
   while [ $i -gt $nKeys ]
   do
      i=$(( $i - $nKeys ))
   done
   PSKnew=$( sed -n "$i"p $pFile )
   
#Pull current PSK
   PSKold=$( nvram get "$wDev"_wpa_psk )
   
#Check if PSK needs to be update, if not exit, else update new PSK and restart service
   if [ $PSKnew = $PSKold ]; then
      echo "$(date +%D" "%T) - PSK is correct ... Exiting"
      exit
   else
      echo "$(date +%D" "%T) - is not correct ... updating"
      SSID=$( nvram get "$wDev"_ssid )
      PSKold=$( grep -A 15 $SSID /tmp/ath0_hostap.conf |grep wpa_passphrase= |cut -d'=' -f2- )
      PSKold=$(echo $PSKold | sed 's_._[&]_g')
      echo "$(date +%D" "%T) - Killing hostapd service."
      kill $(cat /tmp/var/run/ath0_hostapd.pid)
      echo "$(date +%D" "%T) - Updating PSK in hostap.conf"   
      sed -i 's_'"$PSKold"'_'"$PSKnew"'_g' /tmp/ath0_hostap.conf         
      nvram set "$wDev"_wpa_psk=$PSKnew
      sleep 3
      echo "$(date +%D" "%T) - Restarting hostapd service."
      hostapd -B -P /tmp/var/run/ath0_hostapd.pid /tmp/ath0_hostap.conf
   fi
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Contributions Upload All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum