sfflogon This program authenticates a logon/passwd in any one of a number of ways 1. w4 logon 2. against an apache httpd server (possibly running radius) sfflogon -s server3 -p 80 -t http -l logon -w passwd It can also be used to encrypt a password and stop (using the -w and -e input switches) # perl example - in the rel world, remember to escape any metachrs beforehand.. @RESblock = `/fip/bin/sfflogon -w '!!chrisIsAzero' -e XA`; $encPwd = $RESblock[0]; A parameter file is (normally) web/setup/customer.setup ; Internal v External logons external-address:195.13.83.* internal-address:10.1.*.* internal-address:10.2.*.* OR use-whitelist-file:yes/no default: no this uses setup/(BLOCK)_WHITELISTS ; assume the address is int or ext if no explictly stated above default-address:internal/external default: internal ; Cookies allow-cookies:yes/no Allow users to use cookies so they do not need to logon each time default: no allow-external-cookies:yes/no Allow external users to use cookies. default: no logon-list-file:(name of list file) This is in /fip/web/logon/lists/ and is forced upper case with .INTERNAL and .EXTERNAL extensions syntax is ; comment line name | password | pub | group to use | description or real name | buttons/usertype | wires | options | prefs currently only name, password and group is used logon-list-extra1: logon-list-extra2: (ext of list file) Two optional ext for extra logon files that are tested first eg logon-list-file:SUN logon-list-extra1:temp So there can be 2 or 3 logon list files : - SUN.TEMP will be checked first - then either SUN.INTERNAL or SUN.EXTERNAL depending on where the request is sourced. cookie-name: (name) default: fipCookie balance-group: (name) use this to balance cookies and codes between systems balance-fipid: (name) use this to balance Fipids between systems encrypt-password:yes/no password in either a single logon file or the logon-list can be encrypted or not default: no use-auth:google totp/hotp 30/60 Use Google Authenticator; Totp or Hotp; 30 or 60 secs stable time auth-script: (FipSeq string) to replace default sffmac string to test -A authCode /fip/bin/sffhmac -Z sha1 -n 6 -N 8 -z google_otp -d -I (sfflogon adds '\A3' or P3 or M3 for 3 samples) -K 'secret' w4-auth-script: (FipSeq string) w4-extra-script: (FipSeq string) Run this script to get more attributes - perhaps using LDAP The difference between the 2 parameters is that the AUTH version must return 0 for a valid logon. While the extra script is expecting previous authentication to have been passed. The script should return 0 for ok; any other is an error The following FipHdrs are available LL Logon (-l) LD FullLogon (-d) LO Password (-p) LP UC Password (-p forced UCase) LF Fipid LC Cookie LW Internal=0/External=1 flag LX TempFile name for all OUTPUT details of the scripts to add to .map and .info This is read and the data merged with any other information eg w4-extra-script:/fip/local/fiplogonldap.pl logon='\LL' file=\LX pwd='\LO' Note that password and logons may need to be quoted for the script to work AND beforehand, " is mapped to octal 033, ' octal 034 and # octal 035 already-authenticated:no/yes use-radius:no/yes We have already authenticated the logon, so just get the extra information ; OKTA is already authenticated - we just need to make sure it is NOT a spoof already-authenticated:yes default is NO auth-service:OKTA Google OTP, Microsoft OTP, External, OKTA validate:expiry, start, local, issuer check the incoming expiry (vto is after the time now) start (vfrom is before the time now) local (vloc is the current IP address) issuer (issuer matches an entry in LOOKUP - see 'lookup:' below lookup: (key) | value ; only these issuers are valid lookup:ISSUER|https://dev-71239093.okta.com ; only these Radius/Groups are valid lookup:GROUP|WIRES-ADMIN lookup:GROUP|WIRES use-second-level-logon: (yes/no) This prompts for a 2nd level of authentication which is a one-time-used pad default: no If you use 'use-second-level-logon:yes' you need : sfflogon version 02d fip_logon2nd.pl fip_generatecodes.pl - background program to generate the codes admin_logon_listradius.pl admin_logon_radius.pl - to allow an administrator to generate 20 codes for a logon Set Variable in the script : $generateCodes = 1; auto-key: (string) auto-logon: (string) auto-password: (string) auto-pub: (string) auto-option: (string) Allow user to logon automatically if this passkey is used as the Fipid The logon and password are to be used for picking up the right logon file or logon-list enrty. There can be 19 different auto-keys default: none eg auto-key:Solarsentinel auto-logon:INTERNAL auto-password:SUNNY auto-pub is used to populate user-p8 and pub: for the info file auto-option: options include PFX = pub-prefix Input Parameters are : Mandatory: -t : type default: w4 http - apache web server w4 - w4 logon file Either -f : fipid default: none Or -l : logon default: none -c : cookie to use/check default: none Or -l : logon default: none -w : password default: none Or just encrypt a password and stop -w : password default: none -e : 2 letter salt to use, eg -e FU default: none Or add/replace a Key/Value to fipstore -K : fipstore key default: none -V : fipstore value default: none -N : fipstore name of store default: none Optional -A : auth code to check for Google Authentication default: none -d : full logon name default: none -D : display progress default: do not -E : check external first default: no use w4-auth-script to verify logon BEFORE checking w4 (or http) files -g : Publication or organisation default: none -p : remote host port number default: none -s : remote host name or IPaddress default: none -u : url default: none -z : parameter file name in web/setup default: customer.setup if not default -v : print version no and exit (-s and -p and -u are used by type -t http) (-c and -f and -z are used by type -t w4 - default) For those switches with parameters, the parameter MUST be separated by a space. Other env varis can be used to define where the system is : SFF_HOME where the home or top queue is. default: /fip eg setenv SFF_HOME /ripexpress/underware SFF_LOG where the log files queue is default: (SFF_HOME)/log SFF_SPOOL where the data queues are default: (SFF_HOME)/spool SFF_TMP where the tmp data queues is default: (SFF_HOME)/x THIS MUST BE ON THE SAME UNIX VOLUME as SFF_SPOOL queues. ie if spools are on /data99 which is hard disk /dev/sd0, you MUST also have the TMP queue on the same disk/partition NOTE that for all BUT SFF_HOME, if the parameter starts with a '/' then it is a hard, absolute path; if not then the spool area is under SFF_HOME. eg setenv SFF_SPOOL /data7 will look under /data7 for queues while setenv SFF_SPOOL data7 will look under /fip/data7 Version Control ;2r16 17sep05 added 2nd level and blocks ;d-f added errors for logon/pad and balanced pad ;f added p10 and p11 ;g 29aug06 added w4-extra-script for LDAP etc and use-radius ;h-i 22sep06 Winnt version of pad ;j 24oct06 added -d for display name ;k 23jan07 check input field size ;l-m 10may07 added auto-key2-9 ;n 2aug07 added srfipcpy ;o1 30sep07 if setup/logon.radius.setup exists, use it for extra lIST fields ;p1 06dec07 read all logon file for Cookies/Shh too ;q2 24jan08 added auto-pub and auto-option ;r1-4 5jan14 added logon-list-extra1/2 ;4 blackwhite lists ;r6-7 15feb16 added w4-auth-script plus LO for orig pwd (UC/lcase) ;r8-13 1apr18 added google authentication (; 11 sffhmac -k -> -K) ;12-13 w4-auth-script pwd ;14 15oct21 auth-service:external to use w4-auth-script BEFORE checking w4 logon files (needs fip_logon.pl 16u) ;15 26oct21 added fipstore -K -N -V (and https??) ;16 13oct23 added auth-service: OKTA ;001h 13may03 added w4 - cookies etc ;b 10jul03 allow more than 1 cookie ;c-d 21jul03 added expires... ;e 08mar04 added external address tracking ;f-h 26mar04 added logon-list-file ;000a 15dec02 original version (copyright) 2024 and previous years FingerPost Ltd.