HOWTO: Encrypt passwords for OpenVPN user-auth-pass option.

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Contributions Upload
Author Message
mrwizeman
DD-WRT Novice


Joined: 01 Sep 2009
Posts: 1

PostPosted: Tue Sep 01, 2009 6:47    Post subject: HOWTO: Encrypt passwords for OpenVPN user-auth-pass option. Reply with quote
Yeah... I dont know if this belongs here, but I know I came to the forum and searched like crazy for a way to store passwords and usernames encrypted when using the user-auth-pass option in OpenVPN, so anyway I figured out a way to do it, here are my scripts for it, hopefully it will be helpful to someone else:

The script to generate the hash:
Code:
#GenHash.sh by MrWizeman 2009
#!/bin/sh

genhash() {
        echo You are generating a HASH for user: $1
        echo with the password                         : $2
        HASHPASS=`echo -n $1$2 | md5sum | sed s'/\  -//'`
        i=0
        while [ $i != 10 ]; do
            HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\  -//'`
            #echo [$i] HASHPASS=$HASHPASS
            i=`expr $i + 1`
        done
        echo HASHPASS=$HASHPASS
}
genhash $1 $2


And here is the actual script openvpn will call to authenticate a user: (I pasted this in the web interface and placed this line in my openvpn server config: auth-user-pass-verify /tmp/custom.sh via-file
but I guess you could rename it to whatever...)
The hash in the script below is for user: test and pass: test
Code:
#Custom.sh by MrWizeman 2009
#!/bin/sh

HASH='1bbd7254581aaab10868ccfdc0860d68'
#echo HASH = $HASH
#echo param 1 = $1
#echo param 2 = $2

vpn_verify() {
        if [[ ! $1 ]] || [[ ! $2 ]]; then
            #echo "No username or password: $*"
            exit 1
        fi
        HASHPASS=`echo -n $1$2 | md5sum | sed s'/\  -//'`
        #echo HASHPASS = $HASHPASS
        #if [ $HASH == $HASHPASS ]; then
        #    echo MATCH!!
        #else
        #    echo NO MATCH!!!
        #fi
        i=0
        while [ $i != 10 ]; do
            HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\  -//'`
            #echo [$i] HASHPASS=$HASHPASS
            i=`expr $i + 1`
        done
        #echo HASHPASS=$HASHPASS
        if [ $HASH == $HASHPASS ]; then
            #echo MATCH!!
            exit 0
        else
            #echo NO MATCH!!!
            exit 1
        fi
}
if [[ ! $1 ]] || [[ ! -e $1 ]]; then
     #echo "No file"
     exit 1
fi
vpn_verify `cat $1`
#echo "No user with this password found"
exit 1



If you need an explaination of where to put the scripts and how they work in more detail go read my notes about this in the WIKI http://www.dd-wrt.com/wiki/index.php/OpenVPN#Additional_Server_Protection_with_usernames_and_passwords

In short I hash the username and password and then add the hash to itself, and do that 10 times over, I got that idea from the author of the passwd we use Poul-Henning Kamp but he does it 1000 times...

You can easily change this script to hash it 1000 times, but I think 10 is enough it will take a bruteforce program forever to first hash the user and pass and then hash the hashes 10 times, just to find out if it matches, and besides the weak ass processor of the routers we use will take forever to check our credentials if we do it that way... so anyway here it is: you have to run it in telnet the first time to figure out what your hash is, then change that in your script.
Good Luck, and if someone here that doesnt suck as bad as I do at shellscripting can add multi user functionality to the script feel free to post! I only added the ability to check a single users pass with the above script...
Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Contributions Upload All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum