sfflogon

sfflogon

This program authenticates a logon/passwd in any one of a number of ways

    1. w4 logon

    2. against an apache httpd server (possibly running radius)
        sfflogon -s server3 -p 80 -t http -l logon -w passwd

It can also be used to encrypt a password and stop (using the -w and -e input
switches)
    # perl example - in the rel world, remember to escape any metachrs
beforehand..
    @RESblock = `/fip/bin/sfflogon -w '!!chrisIsAzero' -e XA`;
    $encPwd = $RESblock[0];

A parameter file is (normally) web/setup/customer.setup

    ; Internal v External logons
    external-address:195.13.83.*
    internal-address:10.1.*.*
    internal-address:10.2.*.*
    OR
    use-whitelist-file:yes/no   default: no
        this uses setup/(BLOCK)_WHITELISTS

    ; assume the address is int or ext if no explictly stated above
    default-address:internal/external
        default: internal

    ; Cookies
    allow-cookies:yes/no
        Allow users to use cookies so they do not need to logon each time
        default: no

    allow-external-cookies:yes/no
        Allow external users to use cookies.
        default: no

    logon-list-file:(name of list file)
        This is in /fip/web/logon/lists/ and is forced upper case with .INTERNAL and
.EXTERNAL extensions
        syntax is
            ; comment line
            name | password | pub | group to use | description or real name |
buttons/usertype | wires | options | prefs
        currently only name, password and group is used
    logon-list-extra1:
    logon-list-extra2: (ext of list file)
        Two optional ext for extra logon files that are tested first
        eg  logon-list-file:SUN
            logon-list-extra1:temp
        So there can be 2 or 3 logon list files :
            - SUN.TEMP will be checked first
            - then either SUN.INTERNAL or SUN.EXTERNAL depending on where the request is
sourced.

    cookie-name: (name)
        default: fipCookie

    balance-group: (name)
        use this to balance cookies and codes between systems

    balance-fipid: (name)
        use this to balance Fipids between systems

    encrypt-password:yes/no
        password in either a single logon file or the logon-list can be encrypted or
not
        default: no

    w4-auth-script: (FipSeq string)
    w4-extra-script: (FipSeq string)
        Run this script to get more attributes
        The difference between the 2 parameters is that the AUTH version must return
0 for a valid logon.
        While the extra script is expecting previous authentication to have been
passed.
        The script should return 0 for ok; any other is an error
        The following FipHdrs are available
            LL  Logon       (-l)
            LD  FullLogon   (-d)
            LO  Password    (-p)
            LP  UC Password (-p forced UCase)
            LF  Fipid
            LC  Cookie
            LW  Internal=0/External=1 flag
            LX  TempFile name for all OUTPUT details of the scripts to add to .map and
.info
                This is read and the data merged with any other information
        eg  w4-extra-script:/fip/local/fiplogonldap.pl logon=\LL file=\LX

    already-authenticated:no/yes
    use-radius:no/yes
        We have already authenticated the logon, so just get the extra information
        default is NO

    auto-key: (string)
    auto-logon: (string)
    auto-password: (string)
    auto-pub: (string)
    auto-option: (string)
        Allow user to logon automatically if this passkey is used as the Fipid
        The logon and password are to be used for picking up the right logon file or
logon-list enrty.
        There can be 19 different auto-keys
        default: none
        eg
            auto-key:Sunsentinel
            auto-logon:INTERNAL
            auto-password:SUNNY
        auto-pub is used to populate user-p8 and pub: for the info file
        auto-option:
            options include PFX = pub-prefix

    use-second-level-logon: (yes/no)
        This prompts for a 2nd level of authentication which is a one-time-used pad
        default: no
    If you use 'use-second-level-logon:yes' you need :
        sfflogon version 02d
        fip_logon2nd.pl
        fip_generatecodes.pl        - background program to generate the codes
        admin_logon_listradius.pl
        admin_logon_radius.pl       - to allow an administrator to generate 20 codes for a
logon
            Set Variable in the script : $generateCodes = 1;

Input Parameters are :
Mandatory:
    -t : type                   default: w4
        http    - apache web server
        w4  - w4 logon file
Either
    -f : fipid                  default: none
Or
    -l : logon                  default: none
    -c : cookie to use/check            default: none
Or
    -l : logon                  default: none
    -w : password                   default: none
Or just encrypt a password and stop
    -w : password                   default: none
    -e : 2 letter salt to use, eg -e FU     default: none
Optional
    -d : full logon name                default: none
    -s : remote host name or IPaddress      default: none
    -p : remote host port number            default: none
    -u : url                    default: none
    -g : Publication or organisation        default: none
    -z : parameter file name in web/setup       default: customer.setup
        if not default
    -v : print version no and exit

(-s and -p and -u are used by type -t http)
(-c and -f and -z are used by type -t w4 - default)

For those switches with parameters, the parameter MUST be separated by a space.

Other env varis can be used to define where the system is :
    SFF_HOME    where the home or top queue is. default: /fip
            eg  setenv  SFF_HOME    /ripexpress/underware
    SFF_LOG     where the log files queue is    default: (SFF_HOME)/log
    SFF_SPOOL   where the data queues are   default: (SFF_HOME)/spool
    SFF_TMP     where the tmp data queues is    default: (SFF_HOME)/x
            THIS MUST BE ON THE SAME UNIX VOLUME as SFF_SPOOL queues.
            ie if spools are on /data99 which is hard disk /dev/sd0, you MUST also
            have the TMP queue on the same disk/partition

NOTE that for all BUT SFF_HOME, if the parameter starts with a '/' then it is a
hard, absolute path; if not then the spool area is under SFF_HOME.
    eg  setenv  SFF_SPOOL   /data7      will look under /data7 for queues
    while   setenv  SFF_SPOOL   data7       will look under /fip/data7

Version Control
;2r7    17sep05 added 2nd level and blocks
    ;d-f added errors for logon/pad and balanced pad ;f added p10 and p11
    ;g 29aug06 added w4-extra-script for LDAP etc and use-radius
    ;h-i 22sep06 Winnt version of pad
    ;j 24oct06 added -d for display name
    ;k 23jan07 check input field size
    ;l-m 10may07 added auto-key2-9
    ;n 2aug07 added srfipcpy
    ;o1 30sep07 if setup/logon.radius.setup exists, use it for extra lIST fields
    ;p1 06dec07 read all logon file for Cookies/Shh too
    ;q2 24jan08 added auto-pub and auto-option
    ;r1-4  5jan14 added logon-list-extra1/2 ;4 blackwhite lists
    ;r6-7 15feb16 added w4-auth-script plus LO for orig pwd (UC/lcase)
;001h   13may03 added w4 - cookies etc
    ;b 10jul03 allow more than 1 cookie
    ;c-d 21jul03 added expires...
    ;e 08mar04 added external address tracking
    ;f-h 26mar04 added logon-list-file
;000a   15dec02 original version

(copyright) 2017 and previous years FingerPost Ltd.