sfflogon
sfflogon
This program authenticates a logon/passwd in any one of a number of ways
1. w4 logon
2. against an apache httpd server (possibly running radius)
sfflogon -s server3 -p 80 -t http -l logon -w passwd
It can also be used to encrypt a password and stop (using the -w and -e input
switches)
# perl example - in the rel world, remember to escape any metachrs
beforehand..
@RESblock = `/fip/bin/sfflogon -w '!!chrisIsAzero' -e XA`;
$encPwd = $RESblock[0];
A parameter file is (normally) web/setup/customer.setup
; Internal v External logons
external-address:195.13.83.*
internal-address:10.1.*.*
internal-address:10.2.*.*
OR
use-whitelist-file:yes/no default: no
this uses setup/(BLOCK)_WHITELISTS
; assume the address is int or ext if no explictly stated above
default-address:internal/external
default: internal
; Cookies
allow-cookies:yes/no
Allow users to use cookies so they do not need to logon each time
default: no
allow-external-cookies:yes/no
Allow external users to use cookies.
default: no
logon-list-file:(name of list file)
This is in /fip/web/logon/lists/ and is forced upper case with .INTERNAL and
.EXTERNAL extensions
syntax is
; comment line
name | password | pub | group to use | description or real name |
buttons/usertype | wires | options | prefs
currently only name, password and group is used
logon-list-extra1:
logon-list-extra2: (ext of list file)
Two optional ext for extra logon files that are tested first
eg logon-list-file:SUN
logon-list-extra1:temp
So there can be 2 or 3 logon list files :
- SUN.TEMP will be checked first
- then either SUN.INTERNAL or SUN.EXTERNAL depending on where the request is
sourced.
cookie-name: (name)
default: fipCookie
balance-group: (name)
use this to balance cookies and codes between systems
balance-fipid: (name)
use this to balance Fipids between systems
encrypt-password:yes/no
password in either a single logon file or the logon-list can be encrypted or
not
default: no
use-auth:google totp/hotp 30/60
Use Google Authenticator; Totp or Hotp; 30 or 60 secs stable time
auth-script: (FipSeq string) to replace default sffmac string to test -A
authCode
/fip/bin/sffhmac -Z sha1 -n 6 -N 8 -z google_otp -d -I (sfflogon adds '\A3'
or P3 or M3 for 3 samples) -K 'secret'
w4-auth-script: (FipSeq string)
w4-extra-script: (FipSeq string)
Run this script to get more attributes - perhaps using LDAP
The difference between the 2 parameters is that the AUTH version must return
0 for a valid logon.
While the extra script is expecting previous authentication to have been
passed.
The script should return 0 for ok; any other is an error
The following FipHdrs are available
LL Logon (-l)
LD FullLogon (-d)
LO Password (-p)
LP UC Password (-p forced UCase)
LF Fipid
LC Cookie
LW Internal=0/External=1 flag
LX TempFile name for all OUTPUT details of the scripts to add to .map and
.info
This is read and the data merged with any other information
eg w4-extra-script:/fip/local/fiplogonldap.pl logon='\LL' file=\LX pwd='\LO'
Note that password and logons may need to be quoted for the script to work
AND beforehand, " is mapped to octal 033, ' octal 034 and # octal 035
already-authenticated:no/yes
use-radius:no/yes
We have already authenticated the logon, so just get the extra information
default is NO
use-second-level-logon: (yes/no)
This prompts for a 2nd level of authentication which is a one-time-used pad
default: no
If you use 'use-second-level-logon:yes' you need :
sfflogon version 02d
fip_logon2nd.pl
fip_generatecodes.pl - background program to generate the codes
admin_logon_listradius.pl
admin_logon_radius.pl - to allow an administrator to generate 20 codes for a
logon
Set Variable in the script : $generateCodes = 1;
auto-key: (string)
auto-logon: (string)
auto-password: (string)
auto-pub: (string)
auto-option: (string)
Allow user to logon automatically if this passkey is used as the Fipid
The logon and password are to be used for picking up the right logon file or
logon-list enrty.
There can be 19 different auto-keys
default: none
eg
auto-key:Solarsentinel
auto-logon:INTERNAL
auto-password:SUNNY
auto-pub is used to populate user-p8 and pub: for the info file
auto-option:
options include PFX = pub-prefix
Input Parameters are :
Mandatory:
-t : type default: w4
http - apache web server
w4 - w4 logon file
Either
-f : fipid default: none
Or
-l : logon default: none
-c : cookie to use/check default: none
Or
-l : logon default: none
-w : password default: none
Or just encrypt a password and stop
-w : password default: none
-e : 2 letter salt to use, eg -e FU default: none
Or add/replace a Key/Value to fipstore
-K : fipstore key default: none
-V : fipstore value default: none
-N : fipstore name of store default: none
Optional
-A : auth code to check for Google Authentication default: none
-d : full logon name default: none
-D : display progress default: do not
-E : check external first default: no
use w4-auth-script to verify logon BEFORE checking w4 (or http) files
-g : Publication or organisation default: none
-p : remote host port number default: none
-s : remote host name or IPaddress default: none
-u : url default: none
-z : parameter file name in web/setup default: customer.setup
if not default
-v : print version no and exit
(-s and -p and -u are used by type -t http)
(-c and -f and -z are used by type -t w4 - default)
For those switches with parameters, the parameter MUST be separated by a space.
Other env varis can be used to define where the system is :
SFF_HOME where the home or top queue is. default: /fip
eg setenv SFF_HOME /ripexpress/underware
SFF_LOG where the log files queue is default: (SFF_HOME)/log
SFF_SPOOL where the data queues are default: (SFF_HOME)/spool
SFF_TMP where the tmp data queues is default: (SFF_HOME)/x
THIS MUST BE ON THE SAME UNIX VOLUME as SFF_SPOOL queues.
ie if spools are on /data99 which is hard disk /dev/sd0, you MUST also
have the TMP queue on the same disk/partition
NOTE that for all BUT SFF_HOME, if the parameter starts with a '/' then it is a
hard, absolute path; if not then the spool area is under SFF_HOME.
eg setenv SFF_SPOOL /data7 will look under /data7 for queues
while setenv SFF_SPOOL data7 will look under /fip/data7
Version Control
;2r15 17sep05 added 2nd level and blocks
;d-f added errors for logon/pad and balanced pad ;f added p10 and p11
;g 29aug06 added w4-extra-script for LDAP etc and use-radius
;h-i 22sep06 Winnt version of pad
;j 24oct06 added -d for display name
;k 23jan07 check input field size
;l-m 10may07 added auto-key2-9
;n 2aug07 added srfipcpy
;o1 30sep07 if setup/logon.radius.setup exists, use it for extra lIST fields
;p1 06dec07 read all logon file for Cookies/Shh too
;q2 24jan08 added auto-pub and auto-option
;r1-4 5jan14 added logon-list-extra1/2 ;4 blackwhite lists
;r6-7 15feb16 added w4-auth-script plus LO for orig pwd (UC/lcase)
;r8-13 1apr18 added google authentication (; 11 sffhmac -k -> -K) ;12-13
w4-auth-script pwd
;14 15oct21 auth-service:external to use w4-auth-script BEFORE checking w4
logon files (needs fip_logon.pl 16u)
;15 26oct21 added fipstore -K -N -V (and https??)
;001h 13may03 added w4 - cookies etc
;b 10jul03 allow more than 1 cookie
;c-d 21jul03 added expires...
;e 08mar04 added external address tracking
;f-h 26mar04 added logon-list-file
;000a 15dec02 original version
(copyright) 2022 and previous years FingerPost Ltd.