This program authenticates a logon/passwd in any one of a number of ways

    1. w4 logon

    2. against an apache httpd server (possibly running radius)
        sfflogon -s server3 -p 80 -t http -l logon -w passwd

It can also be used to encrypt a password and stop (using the -w and -e input
    # perl example - in the rel world, remember to escape any metachrs
    @RESblock = `/fip/bin/sfflogon -w '!!chrisIsAzero' -e XA`;
    $encPwd = $RESblock[0];

A parameter file is (normally) web/setup/customer.setup

    ; Internal v External logons
    use-whitelist-file:yes/no   default: no
        this uses setup/(BLOCK)_WHITELISTS

    ; assume the address is int or ext if no explictly stated above
        default: internal

    ; Cookies
        Allow users to use cookies so they do not need to logon each time
        default: no

        Allow external users to use cookies.
        default: no

    logon-list-file:(name of list file)
        This is in /fip/web/logon/lists/ and is forced upper case with .INTERNAL and
.EXTERNAL extensions
        syntax is
            ; comment line
            name | password | pub | group to use | description or real name |
buttons/usertype | wires | options | prefs
        currently only name, password and group is used
    logon-list-extra2: (ext of list file)
        Two optional ext for extra logon files that are tested first
        eg  logon-list-file:SUN
        So there can be 2 or 3 logon list files :
            - SUN.TEMP will be checked first
            - then either SUN.INTERNAL or SUN.EXTERNAL depending on where the request is

    cookie-name: (name)
        default: fipCookie

    balance-group: (name)
        use this to balance cookies and codes between systems

    balance-fipid: (name)
        use this to balance Fipids between systems

        password in either a single logon file or the logon-list can be encrypted or
        default: no

    use-auth:google totp/hotp 30/60
        Use Google Authenticator; Totp or Hotp; 30 or 60 secs stable time
    auth-script: (FipSeq string) to replace default sffmac string to test -A
        /fip/bin/sffhmac -Z sha1 -n 6 -N 8 -z google_otp -d -I (sfflogon adds '\A3'
or P3 or M3 for 3 samples) -K 'secret'

    w4-auth-script: (FipSeq string)
    w4-extra-script: (FipSeq string)
        Run this script to get more attributes - perhaps using LDAP
        The difference between the 2 parameters is that the AUTH version must return
0 for a valid logon.
        While the extra script is expecting previous authentication to have been
        The script should return 0 for ok; any other is an error
        The following FipHdrs are available
            LL  Logon       (-l)
            LD  FullLogon   (-d)
            LO  Password    (-p)
            LP  UC Password (-p forced UCase)
            LF  Fipid
            LC  Cookie
            LW  Internal=0/External=1 flag
            LX  TempFile name for all OUTPUT details of the scripts to add to .map and
                This is read and the data merged with any other information
        eg  w4-extra-script:/fip/local/fiplogonldap.pl logon='\LL' file=\LX pwd='\LO'
        Note that password and logons may need to be quoted for the script to work
        AND beforehand, " is mapped to octal 033, ' octal 034 and # octal 035

        We have already authenticated the logon, so just get the extra information
        default is NO

    use-second-level-logon: (yes/no)
        This prompts for a 2nd level of authentication which is a one-time-used pad
        default: no
    If you use 'use-second-level-logon:yes' you need :
        sfflogon version 02d
        fip_generatecodes.pl        - background program to generate the codes
        admin_logon_radius.pl       - to allow an administrator to generate 20 codes for a
            Set Variable in the script : $generateCodes = 1;

    auto-key: (string)
    auto-logon: (string)
    auto-password: (string)
    auto-pub: (string)
    auto-option: (string)
        Allow user to logon automatically if this passkey is used as the Fipid
        The logon and password are to be used for picking up the right logon file or
logon-list enrty.
        There can be 19 different auto-keys
        default: none
        auto-pub is used to populate user-p8 and pub: for the info file
            options include PFX = pub-prefix

Input Parameters are :
    -t : type                   default: w4
        http    - apache web server
        w4  - w4 logon file
    -f : fipid                  default: none
    -l : logon                  default: none
    -c : cookie to use/check            default: none
    -l : logon                  default: none
    -w : password                   default: none
Or just encrypt a password and stop
    -w : password                   default: none
    -e : 2 letter salt to use, eg -e FU     default: none
    -A : auth code to check for Google Authentication   default: none
    -d : full logon name                default: none
    -s : remote host name or IPaddress      default: none
    -p : remote host port number            default: none
    -u : url                    default: none
    -g : Publication or organisation        default: none
    -z : parameter file name in web/setup       default: customer.setup
        if not default
    -D : display progress               default: do not
    -v : print version no and exit

(-s and -p and -u are used by type -t http)
(-c and -f and -z are used by type -t w4 - default)

For those switches with parameters, the parameter MUST be separated by a space.

Other env varis can be used to define where the system is :
    SFF_HOME    where the home or top queue is. default: /fip
            eg  setenv  SFF_HOME    /ripexpress/underware
    SFF_LOG     where the log files queue is    default: (SFF_HOME)/log
    SFF_SPOOL   where the data queues are   default: (SFF_HOME)/spool
    SFF_TMP     where the tmp data queues is    default: (SFF_HOME)/x
            ie if spools are on /data99 which is hard disk /dev/sd0, you MUST also
            have the TMP queue on the same disk/partition

NOTE that for all BUT SFF_HOME, if the parameter starts with a '/' then it is a
hard, absolute path; if not then the spool area is under SFF_HOME.
    eg  setenv  SFF_SPOOL   /data7      will look under /data7 for queues
    while   setenv  SFF_SPOOL   data7       will look under /fip/data7

Version Control
;2r12   17sep05 added 2nd level and blocks
    ;d-f added errors for logon/pad and balanced pad ;f added p10 and p11
    ;g 29aug06 added w4-extra-script for LDAP etc and use-radius
    ;h-i 22sep06 Winnt version of pad
    ;j 24oct06 added -d for display name
    ;k 23jan07 check input field size
    ;l-m 10may07 added auto-key2-9
    ;n 2aug07 added srfipcpy
    ;o1 30sep07 if setup/logon.radius.setup exists, use it for extra lIST fields
    ;p1 06dec07 read all logon file for Cookies/Shh too
    ;q2 24jan08 added auto-pub and auto-option
    ;r1-4  5jan14 added logon-list-extra1/2 ;4 blackwhite lists
    ;r6-7 15feb16 added w4-auth-script plus LO for orig pwd (UC/lcase)
    ;r8-12 1apr18 added google authentication (; 11 sffhmac -k -> -K) ;12
w4-auth-script pwd
;001h   13may03 added w4 - cookies etc
    ;b 10jul03 allow more than 1 cookie
    ;c-d 21jul03 added expires...
    ;e 08mar04 added external address tracking
    ;f-h 26mar04 added logon-list-file
;000a   15dec02 original version

(copyright) 2019 and previous years FingerPost Ltd.