Today's password for guest logins



  • Hello,

    I have just set up a pfsense box, and it installed beautifully, without any hitches whatsoever.
    We use the box to allow internet access for visitors in the office, and usually they come and go within a day.

    Before pfsense, we used OpenBSD with authcat, so as long as you authenticated with ssh, you were good to go.
    Every night at 5am, a script named guestrollpwd.sh ran on the OpenBSD box, automatically creating a new hex password for guest users.

    I would like to implement this on the pfsense box, using a similar script, and have this update the /cf/conf/config.xml file (the password for user X under the <captiveportal>section of the file.

    I noted that md5 is used to encrypt the passwords, so that is handled just fine.

    Now, a long introduction for a short question :
    If I manually change the password in the config.xml, how do I make pfsense re-read the config.xml file, or perhaps only the CaptivePortal section of the file?

    Cheers,
    Simon.

    PS, I have included the guestroolpwd.sh script if anyone cares :

    ##############################################
    #!/bin/sh

    Define a random password, and make it hexadecimal

    INPUT=dd if=/dev/urandom bs=4 count=2 | hexdump

    AUTOPWD=echo $INPUT | awk ' { print $2$3$4$5 }'

    echo Todays password is $AUTOPWD

    echo Now encrypting the password so that pfsense can read it…
    echo The encrypted password to insert into config.xml is md5 -qs $AUTOPWD</captiveportal>



  • Argh… Should have been a short answer but once I got started....
    So you login to http://my_pfSense_ip/guest.php and it generate the guest account with todays password.

    
    #!/bin/sh
    
    clearpass="/var/run/clear.ip"
    m5pass="/var/run/m5pass.ip"
    # Define a random password, and make it hexadecimal
    
    INPUT=`dd if=/dev/urandom bs=4 count=2 | hexdump`
    
    AUTOPWD=`echo $INPUT | awk ' { print $2$3$4$5 }'`
    
    echo $AUTOPWD > $clearpass
    echo `md5 -qs $AUTOPWD` > $m5pass
    
    
    
    require_once('guiconfig.inc');
    
    	exec("/usr/local/bin/guestroolpwd.sh");
    	// Remove captiveportal guest entry from config.xml
            $task_key = 'guest';
            $x_name='';
            $x=0;
            foreach($config['captiveportal']['user'] as $item) {
                if($item['name']==$task_key) {
                   $x_name = $x;
                }
                $x++;
            }
            unset($x);
    	if($x_name > 0)
            {
                unset($config['captiveportal']['user'][$x_name]);
                write_config();
            }
    
    	$m5pass = file_get_contents('/var/run/m5pass.ip');
    	// Add guest in captiveportal to config.xml
            $user_item = array();
            $user_item['name']      = "guest";
            $user_item['fullname']  = "1 day guest pass";
    //	$user_item['expirationdate']  = "";
            $user_item['password']  = "$m5pass";
            $config['captiveportal']['user'][] = $user_item;
            write_config();
    	$clear = file_get_contents('/var/run/clear.ip');
    	echo "Todays guest password is $clear";
    ?>
    
    


  • Hi Perry,

    Thanks for your input, (and your long answer…)  :)
    I guess I could use the php script to create the passwords, but this would be interactive, right?
    Maybe I could set the expiry timer for 24 hours or such, and every time somebody has visitors, they would run the guest.php script.

    How could I limit access to this script though, so somebody on the guest side can´t access it? (the LAN side)?
    I would like to limit access to this script to the WAN interface (which sits behind our main firewall)... Any id́eas, or is it simply a firewall rule blocking access to self?
    (would that not block the captive portal page)?

    My initial thought was to run a nightly cronjob for the guestrollpwd.sh script, update the config.xml file, and reload it - and finally post today´s password on our intranet page...
    Guess I could attempt to dissect your php script (I am not much of a PHP scriptor), and pick out the "replace password" bits, but does the guest.php script actually reload the configuration file?

    I did some tests, replacing the md5 password manually in the config.xml file, but the login wouldn´t work unless I used the "pre-edit" password, so - the config.xml had not been read by the Captive Portal - if this php script does, which function actually reloads the config file?

    Cheers, and thanks again for your help,

    Simeon.



  • My initial thought was to run a nightly cronjob for the guestrollpwd.sh script, update the config.xml file, and reload it - and finally post today´s password on our intranet page…

    Yes I did fear that…...

    if this php script does, which function actually reloads the config file?

    Well I guees require_once('guiconfig.inc'); could be replaced with
    require_once("config.inc");
    require_once("functions.inc");
    But then everyone can read it.
    Different account's and email service afaik will be in pfSense 2.0

    edit (After a good night sleep):
    /var/run/clear.ip could be created in /usr/local/www/clear.ip so your intranet can access it's
    If the intranet ain't on the lan side a simple password can be used to read /var/run/clear.ip


Log in to reply