[RADIATOR] Executing an external script from Radiator
Martin Burton
mvb at sanger.ac.uk
Wed Jun 29 07:56:20 CDT 2011
Hi M P
Radiator responds to the NAS depending on the exit code of your script:
The responses are:
Exit Code Response
========= ========
0 Access-Accept
1 Access-Reject
2 DO NOT REPLY AT ALL
In addition any attribute-value pairs you provide on standard output
will be passed back to the NAS.
So for example you can do:
#!/bin/bash
ACCEPT=0
REJECT=1
BOMB=2
...
if [... something failed and we couldn't do the auth ...]; then
exit $BOMB
fi
...
if [... condition for accept is true ...]; then
echo "Reply-Message = \"Welcome - access accepted!\""
exit $ACCEPT
fi
...
# if we get here we got an unauth user
echo "Reply-Message = \"Go Away!!! - You are not welcome!\""
exit $REJECT
Hope that helps.
As Alan mentioned, doing this kind of thing using the available
functions and modules of both Radiator and Perl would be much better
than using bash. I'd strongly advise that once you have prototyped this
using your shell script that you look into other ways of implementing
the same thing that will allow you build in much better safeguards.
Cheers,
Martin
On 29/06/11 09:22, M P wrote:
>
> Hello Alan,
>
> As much as I would want to, that is my current limitation. In my earlier message, I already mentioned that I can only write in BASH.
>
> Anyway, in connection with sending back the reply to the client either in Access-Accept or Access-Reject, how can I send my custom reply messages on different reasons for the Access-Reject?
>
> Regards,
>
> MP
>
> From: A.L.M.Buxey at lboro.ac.uk
> To: antmtp at hotmail.com; mvb at sanger.ac.uk
> CC: radiator at open.com.au
> Date: Wed, 29 Jun 2011 08:13:05 +0100
> Subject: Re: [RADIATOR] Executing an external script from Radiator
>
>
>
>
>
>
>
>
> Theres a a lot of external shell stuff going on there. Personally I would be using built in perl functions and perl modules for handling the strings and dealing with that URL. It's then also easier to do sanity checks , as this stands you could get some very
> interesting results with the correctly formed username and/or password (out of scope for this list, suggest looking into secure coding or best practice perl references)
>
>
>
> alan
>
>
>
> ----- Reply message -----
>
> From: "M P" <antmtp at hotmail.com>
>
> Date: Wed, Jun 29, 2011 05:31
>
> Subject: [RADIATOR] Executing an external script from Radiator
>
> To: "mvb at sanger.ac.uk" <mvb at sanger.ac.uk>
>
> Cc: "radiator at open.com.au" <radiator at open.com.au>
>
>
>
>
> Hello Martin,
>
>
>
> Thank you for the hint. I am now able to get the two values.
>
>
>
> Now, I have a follow-up question. What is your recommended way to send the reply back to the user, be it an Access-Accept or Access-Reject? I am thinking of adding the reply back whatever the output of my if statement when comparing the password received from
> the user and the password I got from my wget command.
>
>
>
> Below is my updated BASH script for your reference.
>
>
>
> - - - < s n i p > - - -
>
> #!/bin/bash
>
>
>
> HOST=192.168.1.101
>
> HTTP_PORT=80
>
> RETVAL=0
>
>
>
> set -x
>
>
>
> function die()
>
> {
>
> echo -e "$@" >> /var/log/messages
>
> exit 1
>
> }
>
>
>
> while read LINE
>
> do
>
> if [[ $LINE =~ User-Name ]] ; then
>
> USERNAME=$(echo $LINE | awk -F'61|@' '{print $2}')
>
> fi
>
>
>
> if [[ $LINE =~ User-Password ]] ; then
>
> &nb sp; PASSWORD=$(echo $LINE | awk -F'= ' '{print $2}' | awk -F'"|"' '{print $2}')
>
> fi
>
> done
>
>
>
> if echo "" | telnet $HOST $HTTP_PORT 2>&1 | grep -i Connected ; then
>
>
>
> URL="http://$HOST/credentials.php?command=password_retrieve&phonenumber=$USERNAME"
>
>
>
> if [ $PASSWORD == $(wget -c -O - $URL | cut -d\| -f 1) ] ; then
>
> # Make an Access-Accept reply to the user.
>
> else
>
> # Make an Access-Reject reply to the user.
>
> fi
>
>
>
> else
>
> die "ERROR: The $HOST is down or unreachable on $(date)."
>
> fi
>
>
>
> exit ${RETVAL}
>
> - - - < s n i p > - - -
>
>
>
> Please advice. Thank you in advance.
>
>
>
> Regards,
>
>
>
> MP
>
>
>
> Date: Tue, 28 Jun 2011 12:04:54 +0100
>
> From: mvb at sanger.ac.uk
>
> To: radiator at open.com.au
>
> Subject: Re: [RADIATOR] Executing an external script from Radiator
>
>
>
> You're not iterating over stdin.
>
> Try something like:
>
>
> martin at apollo:~$ cat test.sh
> #!/bin/bash
>
> #iterate over stdin and pull out the relevant fields.
> while read LINE
> do
> if [[ $LINE =~ User-Name ]]; then
> USERNAME=$( echo $LINE | awk -F'= ' '{print $2}')
> fi
> if [[ $LINE =~ User-Password ]]; then
> PASSWORD=$( echo $LINE | awk -F'= ' '{print $2}')
> fi
> done
>
> echo username is $USERNAME
> echo password is $PASSWORD
>
>
> martin at apollo:~$ echo -e "User-Name = \"Fred\"\nUser-Password =
> \"supersecret\"" | ./test.sh
> username is "Fred"
> password is "supersecret"
>
>
>
> On 28/06/11 10:00, M P wrote:
>>
>> Hello all,
>>
>> If you have noticed, I am trying to get the values of the User-Name and User-Password attributes in my BASH script that is being ex
> ecuted by the Command parameter inside my <AuthBy EXTERNAL> clause. In my test, I can only get the value of the User-Name attribute but not with the User-Password attribute as it appears blank. If I can pass the value of the User-Password attribute to the $PASSWORD variable, I will be able to compare it with the return value when I do the wget command.
>>
>> Please advice on how am I able to proceed from here.
>>
>> Regards,
>>
>> MP
>>
>>
>> From: antmtp at hotmail.com
>> To: radiator at open.com.au
>> Date: Tue, 28 Jun 2011 14:50:51 +0800
>> Subject: Re: [RADIATOR] Executing an external script from Radiator
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hello all,
>>
>> How am I able to read the value of the User-Password attribute and pass it to a variable from an (AuthBy) EXTERNAL BASH script? Also, how am I able to send back the result to the user eith
> er successful (Access-Accept) or failed (Access-Reject)?
>>
>> Below is a snippet of my Radiator configuration:
>>
>> - - - < s n i p > - - -
>> <Realm DEFAULT>
>> <AuthBy EXTERNAL>
>> DecryptPassword
>> Command /usr/local/sbin/testauth.sh
>> Fork
>> RejectEmptyPassword
>> </AuthBy>
>> AcctLogFileName %L/accounting/detail-%Y%m%d.log
>> </Realm>
>> - - - < s n i p > - - -
>>
>> Below is my BASH script:
>>
>> - - - < s n
>> i p > - - -
>> #!/bin/bash
>> USERNAME=$(grep -i User-Name | awk -F'61|@' '{print $2}')
>> PASSWORD=$(grep -i User-Password | awk -F'= ' '{print $2}')
>> HOST=192.168.1.101
>> HTTP_PORT=80
>> URL="http://$HOST/credentials.php?command=password_retrieve&phonenumber=$USERNAME"
>> RETVAL=0
>> set -x
>> function die()
> &
> gt; {
>> echo -e "$@" >> /var/log/messages
>> exit 1
>> }
>> if echo "" | telnet $HOST $HTTP_PORT 2>&1 | grep -i Connected ; then
>> if [ $PASSWORD == $(wget -c -O - $URL | cut -d\| -f 1) ] ; then
>> # Make an Access-Accept reply to the user.
>> else
>> # Make an Access-Reject reply to the user.
>> fi
>> else
>> die "ERROR: The $HOST is dow
>> n or unreachable on $(date)."
>> fi
>> exit ${RETVAL}
>> - - - < s n i p > - - -
>>
>> Lastly, I am getting the below line in my radiusd.log file:
>>
>> Tue Jun 28 13:53:01 2011 476732: ERR: Bad attribute=value pair: Connected to 192.168.1.201.
>>
>> Please advice. Thank you in advance.
>>
>> Regards,
>>
>> MP
>> From: antmtp at hotmail.com
>> To: radiator at open.com.au
>> Date: Wed, 22 Jun 2011 13:50:30 +0800
>> Subject: Re: [RAD
> IATOR] Executing an external script from Radiator
>>
>>
>>
>>
>>
>>
>>
>>
>> Hello all,
>>
>> Thank you for all who responded to my e-mail.
>>
>> Now, I have a problem though. First, I am just going to write the script in BASH as I don't know Perl. Second, there is no database here to verify the User-Name and User-Password. Everytime there is an Access-Request that is received by the Radiator, it should execute the BASH script to (maybe) wget or curl with an input parameter of the User-Name from an HTTP or HTTPS URL and will receive the output with the User-Name and User-Password to verify and then reply back with an Access-Accept. If during the wget or curl from the URL and the output is other than what I expect (the User-Name and User-Password), then Radiator should respond with an Access-Reject.
>>
>> [NAS Client] <---> (RADIUS TRaffic) <---> [Radiator] <---> (Execut
> e Script) <---> (HTTP/HTTPS Traffic) <---> [HTTP Server]
>>
>> Please ad
>> vice. Thank you in advance.
>>
>> From: antmtp at hotmail.com
>> To: radiator at open.com.au
>> Date: Tue, 21 Jun 2011 14:34:37 +0800
>> Subject: [RADIATOR] Executing an external script from Radiator
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hello all,
>>
>> How am I going to execute an external script when Radiator receives an Access-Request? This script will actually do an HTTP API request from an external HTTP server to get the userid then once the script have it on the same server as where the Radiator is running, Radiator will now respond an Access-Accept.
>>
>> Please advice. Thank you in advance.
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
--
Martin Burton
Senior Systems Administrator \\\|||///
Special Projects Team \\ ^ ^ //
Wellcome Trust Sanger Institute ( 6 6 )
-----------------------------------------oOOo-(_)-oOOo---
t: +44 (0)1223 496945 http://www.sanger.ac.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20110629/78aeb14f/attachment.bin
More information about the radiator
mailing list