sfflogon

sfflogon

This program authenticates a logon/passwd in any one of a number of ways

    1. w4 logon

    2. against an apache httpd server (possibly running radius)
        sfflogon -s server3 -p 80 -t http -l logon -w passwd

It can also be used to encrypt a password and stop (using the -w and -e input
switches)
    # perl example - in the rel world, remember to escape any metachrs
beforehand..
    @RESblock = `/fip/bin/sfflogon -w '!!chrisIsAzero' -e XA`;
    $encPwd = $RESblock[0];

A parameter file is (normally) web/setup/customer.setup

    ; Internal v External logons
    external-address:195.13.83.*
    internal-address:10.1.*.*
    internal-address:10.2.*.*
    OR
    use-whitelist-file:yes/no   default: no
        this uses setup/(BLOCK)_WHITELISTS

    ; assume the address is int or ext if no explictly stated above
    default-address:internal/external
        default: internal

    ; Cookies
    allow-cookies:yes/no
        Allow users to use cookies so they do not need to logon each time
        default: no

    allow-external-cookies:yes/no
        Allow external users to use cookies.
        default: no

    logon-list-file:(name of list file)
        This is in /fip/web/logon/lists/ and is forced upper case with .INTERNAL and
.EXTERNAL extensions
        syntax is
            ; comment line
            name | password | pub | group to use | description or real name |
buttons/usertype | wires | options | prefs
        currently only name, password and group is used
    logon-list-extra1:
    logon-list-extra2: (ext of list file)
        Two optional ext for extra logon files that are tested first
        eg  logon-list-file:SUN
            logon-list-extra1:temp
        So there can be 2 or 3 logon list files :
            - SUN.TEMP will be checked first
            - then either SUN.INTERNAL or SUN.EXTERNAL depending on where the request is
sourced.

    cookie-name: (name)
        default: fipCookie

    balance-group: (name)
        use this to balance cookies and codes between systems

    balance-fipid: (name)
        use this to balance Fipids between systems

    encrypt-password:yes/no
        password in either a single logon file or the logon-list can be encrypted or
not
        default: no

    use-auth:google totp/hotp 30/60
        Use Google Authenticator; Totp or Hotp; 30 or 60 secs stable time
    auth-script: (FipSeq string) to replace default sffmac string to test -A
authCode
        /fip/bin/sffhmac -Z sha1 -n 6 -N 8 -z google_otp -d -I (sfflogon adds '\A3'
or P3 or M3 for 3 samples) -K 'secret'

    w4-auth-script: (FipSeq string)
    w4-extra-script: (FipSeq string)
        Run this script to get more attributes - perhaps using LDAP
        The difference between the 2 parameters is that the AUTH version must return
0 for a valid logon.
        While the extra script is expecting previous authentication to have been
passed.
        The script should return 0 for ok; any other is an error
        The following FipHdrs are available
            LL  Logon       (-l)
            LD  FullLogon   (-d)
            LO  Password    (-p)
            LP  UC Password (-p forced UCase)
            LF  Fipid
            LC  Cookie
            LW  Internal=0/External=1 flag
            LX  TempFile name for all OUTPUT details of the scripts to add to .map and
.info
                This is read and the data merged with any other information
        eg  w4-extra-script:/fip/local/fiplogonldap.pl logon='\LL' file=\LX pwd='\LO'
        Note that password and logons may need to be quoted for the script to work
        AND beforehand, " is mapped to octal 033, ' octal 034 and # octal 035

    already-authenticated:no/yes
    use-radius:no/yes
        We have already authenticated the logon, so just get the extra information
        ; OKTA is already authenticated - we just need to make sure it is NOT a spoof
        already-authenticated:yes
        default is NO

    auth-service:OKTA
        Google OTP, Microsoft OTP, External, OKTA

    validate:expiry, start, local, issuer
        check the incoming
            expiry  (vto is after the time now)
            start   (vfrom is before the time now)
            local   (vloc is the current IP address)
            issuer  (issuer matches an entry in LOOKUP - see 'lookup:' below

    lookup: (key) | value
        ; only these issuers are valid
        lookup:ISSUER|https://dev-71239093.okta.com

        ; only these Radius/Groups are valid
        lookup:GROUP|WIRES-ADMIN
        lookup:GROUP|WIRES

    use-second-level-logon: (yes/no)
        This prompts for a 2nd level of authentication which is a one-time-used pad
        default: no
    If you use 'use-second-level-logon:yes' you need :
        sfflogon version 02d
        fip_logon2nd.pl
        fip_generatecodes.pl        - background program to generate the codes
        admin_logon_listradius.pl
        admin_logon_radius.pl       - to allow an administrator to generate 20 codes for a
logon
            Set Variable in the script : $generateCodes = 1;

    auto-key: (string)
    auto-logon: (string)
    auto-password: (string)
    auto-pub: (string)
    auto-option: (string)
        Allow user to logon automatically if this passkey is used as the Fipid
        The logon and password are to be used for picking up the right logon file or
logon-list enrty.
        There can be 19 different auto-keys
        default: none
        eg
            auto-key:Solarsentinel
            auto-logon:INTERNAL
            auto-password:SUNNY
        auto-pub is used to populate user-p8 and pub: for the info file
        auto-option:
            options include PFX = pub-prefix

Input Parameters are :
Mandatory:
    -t : type                   default: w4
        http    - apache web server
        w4  - w4 logon file
Either
    -f : fipid                  default: none
Or
    -l : logon                  default: none
    -c : cookie to use/check            default: none
Or
    -l : logon                  default: none
    -w : password                   default: none

Or just encrypt a password and stop
    -w : password                   default: none
    -e : 2 letter salt to use, eg -e FU     default: none

Or add/replace a Key/Value to fipstore
    -K : fipstore key               default: none
    -V : fipstore value             default: none
    -N : fipstore name of store         default: none

Optional
    -A : auth code to check for Google Authentication   default: none
    -d : full logon name                default: none
    -D : display progress               default: do not
    -E : check external first           default: no
        use w4-auth-script to verify logon BEFORE checking w4 (or http) files
    -g : Publication or organisation        default: none
    -p : remote host port number            default: none
    -s : remote host name or IPaddress      default: none
    -u : url                    default: none
    -z : parameter file name in web/setup       default: customer.setup
        if not default
    -v : print version no and exit

(-s and -p and -u are used by type -t http)
(-c and -f and -z are used by type -t w4 - default)

For those switches with parameters, the parameter MUST be separated by a space.

Other env varis can be used to define where the system is :
    SFF_HOME    where the home or top queue is. default: /fip
            eg  setenv  SFF_HOME    /ripexpress/underware
    SFF_LOG     where the log files queue is    default: (SFF_HOME)/log
    SFF_SPOOL   where the data queues are   default: (SFF_HOME)/spool
    SFF_TMP     where the tmp data queues is    default: (SFF_HOME)/x
            THIS MUST BE ON THE SAME UNIX VOLUME as SFF_SPOOL queues.
            ie if spools are on /data99 which is hard disk /dev/sd0, you MUST also
            have the TMP queue on the same disk/partition

NOTE that for all BUT SFF_HOME, if the parameter starts with a '/' then it is a
hard, absolute path; if not then the spool area is under SFF_HOME.
    eg  setenv  SFF_SPOOL   /data7      will look under /data7 for queues
    while   setenv  SFF_SPOOL   data7       will look under /fip/data7

Version Control
;2r16   17sep05 added 2nd level and blocks
    ;d-f added errors for logon/pad and balanced pad ;f added p10 and p11
    ;g 29aug06 added w4-extra-script for LDAP etc and use-radius
    ;h-i 22sep06 Winnt version of pad
    ;j 24oct06 added -d for display name
    ;k 23jan07 check input field size
    ;l-m 10may07 added auto-key2-9
    ;n 2aug07 added srfipcpy
    ;o1 30sep07 if setup/logon.radius.setup exists, use it for extra lIST fields
    ;p1 06dec07 read all logon file for Cookies/Shh too
    ;q2 24jan08 added auto-pub and auto-option
    ;r1-4  5jan14 added logon-list-extra1/2 ;4 blackwhite lists
    ;r6-7 15feb16 added w4-auth-script plus LO for orig pwd (UC/lcase)
    ;r8-13 1apr18 added google authentication (; 11 sffhmac -k -> -K) ;12-13
w4-auth-script pwd
    ;14 15oct21 auth-service:external to use w4-auth-script BEFORE checking w4
logon files (needs fip_logon.pl 16u)
    ;15 26oct21 added fipstore -K -N -V (and https??)
    ;16 13oct23 added auth-service: OKTA
;001h   13may03 added w4 - cookies etc
    ;b 10jul03 allow more than 1 cookie
    ;c-d 21jul03 added expires...
    ;e 08mar04 added external address tracking
    ;f-h 26mar04 added logon-list-file
;000a   15dec02 original version

(copyright) 2024 and previous years FingerPost Ltd.