Today's password for guest logins

sstavdal · Mar 12, 2009, 11:30 AM

Hello,

I have just set up a pfsense box, and it installed beautifully, without any hitches whatsoever.
We use the box to allow internet access for visitors in the office, and usually they come and go within a day.

Before pfsense, we used OpenBSD with authcat, so as long as you authenticated with ssh, you were good to go.
Every night at 5am, a script named guestrollpwd.sh ran on the OpenBSD box, automatically creating a new hex password for guest users.

I would like to implement this on the pfsense box, using a similar script, and have this update the /cf/conf/config.xml file (the password for user X under the <captiveportal>section of the file.

I noted that md5 is used to encrypt the passwords, so that is handled just fine.

Now, a long introduction for a short question :
If I manually change the password in the config.xml, how do I make pfsense re-read the config.xml file, or perhaps only the CaptivePortal section of the file?

Cheers,
Simon.

PS, I have included the guestroolpwd.sh script if anyone cares :

##############################################
#!/bin/sh

Define a random password, and make it hexadecimal

INPUT=dd if=/dev/urandom bs=4 count=2 | hexdump

AUTOPWD=echo $INPUT | awk ' { print $2$3$4$5 }'

echo Todays password is $AUTOPWD

echo Now encrypting the password so that pfsense can read it…
echo The encrypted password to insert into config.xml is md5 -qs $AUTOPWD</captiveportal>

Perry · Mar 12, 2009, 4:14 PM

Argh… Should have been a short answer but once I got started....
So you login to http://my_pfSense_ip/guest.php and it generate the guest account with todays password.


#!/bin/sh

clearpass="/var/run/clear.ip"
m5pass="/var/run/m5pass.ip"
# Define a random password, and make it hexadecimal

INPUT=`dd if=/dev/urandom bs=4 count=2 | hexdump`

AUTOPWD=`echo $INPUT | awk ' { print $2$3$4$5 }'`

echo $AUTOPWD > $clearpass
echo `md5 -qs $AUTOPWD` > $m5pass


require_once('guiconfig.inc');

	exec("/usr/local/bin/guestroolpwd.sh");
	// Remove captiveportal guest entry from config.xml
        $task_key = 'guest';
        $x_name='';
        $x=0;
        foreach($config['captiveportal']['user'] as $item) {
            if($item['name']==$task_key) {
               $x_name = $x;
            }
            $x++;
        }
        unset($x);
	if($x_name > 0)
        {
            unset($config['captiveportal']['user'][$x_name]);
            write_config();
        }

	$m5pass = file_get_contents('/var/run/m5pass.ip');
	// Add guest in captiveportal to config.xml
        $user_item = array();
        $user_item['name']      = "guest";
        $user_item['fullname']  = "1 day guest pass";
//	$user_item['expirationdate']  = "";
        $user_item['password']  = "$m5pass";
        $config['captiveportal']['user'][] = $user_item;
        write_config();
	$clear = file_get_contents('/var/run/clear.ip');
	echo "Todays guest password is $clear";
?>

sstavdal · Mar 12, 2009, 6:51 PM

Hi Perry,

Thanks for your input, (and your long answer…) :)
I guess I could use the php script to create the passwords, but this would be interactive, right?
Maybe I could set the expiry timer for 24 hours or such, and every time somebody has visitors, they would run the guest.php script.

How could I limit access to this script though, so somebody on the guest side can´t access it? (the LAN side)?
I would like to limit access to this script to the WAN interface (which sits behind our main firewall)... Any id́eas, or is it simply a firewall rule blocking access to self?
(would that not block the captive portal page)?

My initial thought was to run a nightly cronjob for the guestrollpwd.sh script, update the config.xml file, and reload it - and finally post today´s password on our intranet page...
Guess I could attempt to dissect your php script (I am not much of a PHP scriptor), and pick out the "replace password" bits, but does the guest.php script actually reload the configuration file?

I did some tests, replacing the md5 password manually in the config.xml file, but the login wouldn´t work unless I used the "pre-edit" password, so - the config.xml had not been read by the Captive Portal - if this php script does, which function actually reloads the config file?

Cheers, and thanks again for your help,

Simeon.

Perry · Mar 13, 2009, 9:40 AM

My initial thought was to run a nightly cronjob for the guestrollpwd.sh script, update the config.xml file, and reload it - and finally post today´s password on our intranet page…

Yes I did fear that…...

if this php script does, which function actually reloads the config file?

Well I guees require_once('guiconfig.inc'); could be replaced with
require_once("config.inc");
require_once("functions.inc");
But then everyone can read it.
Different account's and email service afaik will be in pfSense 2.0

edit (After a good night sleep):
/var/run/clear.ip could be created in /usr/local/www/clear.ip so your intranet can access it's
If the intranet ain't on the lan side a simple password can be used to read /var/run/clear.ip