• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Today's password for guest logins

Scheduled Pinned Locked Moved Captive Portal
4 Posts 2 Posters 13.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    sstavdal
    last edited by Mar 12, 2009, 11:30 AM

    Hello,

    I have just set up a pfsense box, and it installed beautifully, without any hitches whatsoever.
    We use the box to allow internet access for visitors in the office, and usually they come and go within a day.

    Before pfsense, we used OpenBSD with authcat, so as long as you authenticated with ssh, you were good to go.
    Every night at 5am, a script named guestrollpwd.sh ran on the OpenBSD box, automatically creating a new hex password for guest users.

    I would like to implement this on the pfsense box, using a similar script, and have this update the /cf/conf/config.xml file (the password for user X under the <captiveportal>section of the file.

    I noted that md5 is used to encrypt the passwords, so that is handled just fine.

    Now, a long introduction for a short question :
    If I manually change the password in the config.xml, how do I make pfsense re-read the config.xml file, or perhaps only the CaptivePortal section of the file?

    Cheers,
    Simon.

    PS, I have included the guestroolpwd.sh script if anyone cares :

    ##############################################
    #!/bin/sh

    Define a random password, and make it hexadecimal

    INPUT=dd if=/dev/urandom bs=4 count=2 | hexdump

    AUTOPWD=echo $INPUT | awk ' { print $2$3$4$5 }'

    echo Todays password is $AUTOPWD

    echo Now encrypting the password so that pfsense can read it…
    echo The encrypted password to insert into config.xml is md5 -qs $AUTOPWD</captiveportal>

    1 Reply Last reply Reply Quote 0
    • P Offline
      Perry
      last edited by Mar 12, 2009, 4:14 PM Mar 12, 2009, 3:55 PM

      Argh… Should have been a short answer but once I got started....
      So you login to http://my_pfSense_ip/guest.php and it generate the guest account with todays password.

      
      #!/bin/sh
      
      clearpass="/var/run/clear.ip"
      m5pass="/var/run/m5pass.ip"
      # Define a random password, and make it hexadecimal
      
      INPUT=`dd if=/dev/urandom bs=4 count=2 | hexdump`
      
      AUTOPWD=`echo $INPUT | awk ' { print $2$3$4$5 }'`
      
      echo $AUTOPWD > $clearpass
      echo `md5 -qs $AUTOPWD` > $m5pass
      
      
      
      require_once('guiconfig.inc');
      
      	exec("/usr/local/bin/guestroolpwd.sh");
      	// Remove captiveportal guest entry from config.xml
              $task_key = 'guest';
              $x_name='';
              $x=0;
              foreach($config['captiveportal']['user'] as $item) {
                  if($item['name']==$task_key) {
                     $x_name = $x;
                  }
                  $x++;
              }
              unset($x);
      	if($x_name > 0)
              {
                  unset($config['captiveportal']['user'][$x_name]);
                  write_config();
              }
      
      	$m5pass = file_get_contents('/var/run/m5pass.ip');
      	// Add guest in captiveportal to config.xml
              $user_item = array();
              $user_item['name']      = "guest";
              $user_item['fullname']  = "1 day guest pass";
      //	$user_item['expirationdate']  = "";
              $user_item['password']  = "$m5pass";
              $config['captiveportal']['user'][] = $user_item;
              write_config();
      	$clear = file_get_contents('/var/run/clear.ip');
      	echo "Todays guest password is $clear";
      ?>
      
      

      /Perry
      doc.pfsense.org

      1 Reply Last reply Reply Quote 0
      • S Offline
        sstavdal
        last edited by Mar 12, 2009, 6:51 PM

        Hi Perry,

        Thanks for your input, (and your long answer…)  :)
        I guess I could use the php script to create the passwords, but this would be interactive, right?
        Maybe I could set the expiry timer for 24 hours or such, and every time somebody has visitors, they would run the guest.php script.

        How could I limit access to this script though, so somebody on the guest side can´t access it? (the LAN side)?
        I would like to limit access to this script to the WAN interface (which sits behind our main firewall)... Any id́eas, or is it simply a firewall rule blocking access to self?
        (would that not block the captive portal page)?

        My initial thought was to run a nightly cronjob for the guestrollpwd.sh script, update the config.xml file, and reload it - and finally post today´s password on our intranet page...
        Guess I could attempt to dissect your php script (I am not much of a PHP scriptor), and pick out the "replace password" bits, but does the guest.php script actually reload the configuration file?

        I did some tests, replacing the md5 password manually in the config.xml file, but the login wouldn´t work unless I used the "pre-edit" password, so - the config.xml had not been read by the Captive Portal - if this php script does, which function actually reloads the config file?

        Cheers, and thanks again for your help,

        Simeon.

        1 Reply Last reply Reply Quote 0
        • P Offline
          Perry
          last edited by Mar 13, 2009, 9:40 AM Mar 12, 2009, 8:45 PM

          My initial thought was to run a nightly cronjob for the guestrollpwd.sh script, update the config.xml file, and reload it - and finally post today´s password on our intranet page…

          Yes I did fear that…...

          if this php script does, which function actually reloads the config file?

          Well I guees require_once('guiconfig.inc'); could be replaced with
          require_once("config.inc");
          require_once("functions.inc");
          But then everyone can read it.
          Different account's and email service afaik will be in pfSense 2.0

          edit (After a good night sleep):
          /var/run/clear.ip could be created in /usr/local/www/clear.ip so your intranet can access it's
          If the intranet ain't on the lan side a simple password can be used to read /var/run/clear.ip

          /Perry
          doc.pfsense.org

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received