sfflogon
sfflogon
This program authenticates a logon/passwd in any one of a number of ways
1. w4 logon
2. against an apache httpd server (possibly running radius)
sfflogon -s server3 -p 80 -t http -l logon -w passwd
It can also be used to encrypt a password and stop (using the -w and -e input
switches)
# perl example - in the rel world, remember to escape any metachrs
beforehand..
@RESblock = `/fip/bin/sfflogon -w '!!chrisIsAzero' -e XA`;
$encPwd = $RESblock[0];
A parameter file is (normally) web/setup/customer.setup
; Internal v External logons
external-address:195.13.83.*
internal-address:10.1.*.*
internal-address:10.2.*.*
OR
use-whitelist-file:yes/no default: no
this uses setup/(BLOCK)_WHITELISTS
; assume the address is int or ext if no explictly stated above
default-address:internal/external
default: internal
; Cookies
allow-cookies:yes/no
Allow users to use cookies so they do not need to logon each time
default: no
allow-external-cookies:yes/no
Allow external users to use cookies.
default: no
logon-list-file:(name of list file)
This is in /fip/web/logon/lists/ and is forced upper case with .INTERNAL and
.EXTERNAL extensions
syntax is
; comment line
name | password | pub | group to use | description or real name |
buttons/usertype | wires | options | prefs
currently only name, password and group is used
logon-list-extra1:
logon-list-extra2: (ext of list file)
Two optional ext for extra logon files that are tested first
eg logon-list-file:SUN
logon-list-extra1:temp
So there can be 2 or 3 logon list files :
- SUN.TEMP will be checked first
- then either SUN.INTERNAL or SUN.EXTERNAL depending on where the request is
sourced.
cookie-name: (name)
default: fipCookie
balance-group: (name)
use this to balance cookies and codes between systems
balance-fipid: (name)
use this to balance Fipids between systems
encrypt-password:yes/no
password in either a single logon file or the logon-list can be encrypted or
not
default: no
use-auth:google totp/hotp 30/60
Use Google Authenticator; Totp or Hotp; 30 or 60 secs stable time
auth-script: (FipSeq string) to replace default sffmac string to test -A
authCode
/fip/bin/sffhmac -Z sha1 -n 6 -N 8 -z google_otp -d -I (sfflogon adds '\A3'
or P3 or M3 for 3 samples) -K 'secret'
w4-auth-script: (FipSeq string)
w4-extra-script: (FipSeq string)
Run this script to get more attributes - perhaps using LDAP
The difference between the 2 parameters is that the AUTH version must return
0 for a valid logon.
While the extra script is expecting previous authentication to have been
passed.
The script should return 0 for ok; any other is an error
The following FipHdrs are available
LL Logon (-l)
LD FullLogon (-d)
LO Password (-p)
LP UC Password (-p forced UCase)
LF Fipid
LC Cookie
LW Internal=0/External=1 flag
LX TempFile name for all OUTPUT details of the scripts to add to .map and
.info
This is read and the data merged with any other information
eg w4-extra-script:/fip/local/fiplogonldap.pl logon='\LL' file=\LX pwd='\LO'
Note that password and logons may need to be quoted for the script to work
AND beforehand, " is mapped to octal 033, ' octal 034 and # octal 035
already-authenticated:no/yes
use-radius:no/yes
We have already authenticated the logon, so just get the extra information
; OKTA is already authenticated - we just need to make sure it is NOT a spoof
already-authenticated:yes
default is NO
auth-service:OKTA
Google OTP, Microsoft OTP, External, OKTA
validate:expiry, start, local, issuer
check the incoming
expiry (vto is after the time now)
start (vfrom is before the time now)
local (vloc is the current IP address)
issuer (issuer matches an entry in LOOKUP - see 'lookup:' below
lookup: (key) | value
; only these issuers are valid
lookup:ISSUER|https://dev-71239093.okta.com
; only these Radius/Groups are valid
lookup:GROUP|WIRES-ADMIN
lookup:GROUP|WIRES
use-second-level-logon: (yes/no)
This prompts for a 2nd level of authentication which is a one-time-used pad
default: no
If you use 'use-second-level-logon:yes' you need :
sfflogon version 02d
fip_logon2nd.pl
fip_generatecodes.pl - background program to generate the codes
admin_logon_listradius.pl
admin_logon_radius.pl - to allow an administrator to generate 20 codes for a
logon
Set Variable in the script : $generateCodes = 1;
auto-key: (string)
auto-logon: (string)
auto-password: (string)
auto-pub: (string)
auto-option: (string)
Allow user to logon automatically if this passkey is used as the Fipid
The logon and password are to be used for picking up the right logon file or
logon-list enrty.
There can be 19 different auto-keys
default: none
eg
auto-key:Solarsentinel
auto-logon:INTERNAL
auto-password:SUNNY
auto-pub is used to populate user-p8 and pub: for the info file
auto-option:
options include PFX = pub-prefix
Input Parameters are :
Mandatory:
-t : type default: w4
http - apache web server
w4 - w4 logon file
Either
-f : fipid default: none
Or
-l : logon default: none
-c : cookie to use/check default: none
Or
-l : logon default: none
-w : password default: none
Or just encrypt a password and stop
-w : password default: none
-e : 2 letter salt to use, eg -e FU default: none
Or add/replace a Key/Value to fipstore
-K : fipstore key default: none
-V : fipstore value default: none
-N : fipstore name of store default: none
Optional
-A : auth code to check for Google Authentication default: none
-d : full logon name default: none
-D : display progress default: do not
-E : check external first default: no
use w4-auth-script to verify logon BEFORE checking w4 (or http) files
-g : Publication or organisation default: none
-p : remote host port number default: none
-s : remote host name or IPaddress default: none
-u : url default: none
-z : parameter file name in web/setup default: customer.setup
if not default
-v : print version no and exit
(-s and -p and -u are used by type -t http)
(-c and -f and -z are used by type -t w4 - default)
For those switches with parameters, the parameter MUST be separated by a space.
Other env varis can be used to define where the system is :
SFF_HOME where the home or top queue is. default: /fip
eg setenv SFF_HOME /ripexpress/underware
SFF_LOG where the log files queue is default: (SFF_HOME)/log
SFF_SPOOL where the data queues are default: (SFF_HOME)/spool
SFF_TMP where the tmp data queues is default: (SFF_HOME)/x
THIS MUST BE ON THE SAME UNIX VOLUME as SFF_SPOOL queues.
ie if spools are on /data99 which is hard disk /dev/sd0, you MUST also
have the TMP queue on the same disk/partition
NOTE that for all BUT SFF_HOME, if the parameter starts with a '/' then it is a
hard, absolute path; if not then the spool area is under SFF_HOME.
eg setenv SFF_SPOOL /data7 will look under /data7 for queues
while setenv SFF_SPOOL data7 will look under /fip/data7
Version Control
;2r17 17sep05 added 2nd level and blocks
;d-f added errors for logon/pad and balanced pad ;f added p10 and p11
;g 29aug06 added w4-extra-script for LDAP etc and use-radius
;h-i 22sep06 Winnt version of pad
;j 24oct06 added -d for display name
;k 23jan07 check input field size
;l-m 10may07 added auto-key2-9
;n 2aug07 added srfipcpy
;o1 30sep07 if setup/logon.radius.setup exists, use it for extra lIST fields
;p1 06dec07 read all logon file for Cookies/Shh too
;q2 24jan08 added auto-pub and auto-option
;r1-4 5jan14 added logon-list-extra1/2 ;4 blackwhite lists
;r6-7 15feb16 added w4-auth-script plus LO for orig pwd (UC/lcase)
;r8-13 1apr18 added google authentication (really totp auth for anyone); 11
sffhmac -k -> -K) ;12-13 w4-auth-script pwd
;14 15oct21 auth-service:external to use w4-auth-script BEFORE checking w4
logon files (needs fip_logon.pl 16u)
;15 26oct21 added fipstore -K -N -V (and https??)
;16-17 13oct23 added auth-service: OKTA (17-minor do_google_auth is now
chk_totp_auth)
;001h 13may03 added w4 - cookies etc
;b 10jul03 allow more than 1 cookie
;c-d 21jul03 added expires...
;e 08mar04 added external address tracking
;f-h 26mar04 added logon-list-file
;000a 15dec02 original version
(copyright) 2025 and previous years FingerPost Ltd.