Sunday, February 1, 2015

A secure simple radius password generation using openssl and gpg

Here's a bash-script that can be tweak'd  to generate various  radius passwords types.  When I first built this script many years back, my goals where to have a  hands-off password generator for dumping users accounts into a radius user db file.

1st here's the various types of  radius passwords that most radius servers supports.


We will generate a simple salted MD5 password  that would be applied to our  radius servers user_db using a salt. The script is an replacement for the local-user-shell and is launched in the user directory with a limited read/write/execute permissions.

For our radius password creator, we have a default ssh-login and I always like to go the extra steps and prevent SCP access if available on the unix server.

       user=passwordmaker 

       password=M@keP@ss!

So in our process, the radius-admin mails the enrollee via his/her email with the account details after the user account has been created. 

Than the user at convenience will ssh into the server at ip_address   a.b.c.d with the above username+ password and make his/her password. This password will be mailed to the radius server at a collection inbox securely.

Since the password was made with 10 characters and a equal random salt size, this generate a very hard to hack or  & protections from brute-force/hybrid  attacks.


Here's the /etc/password  details for the user  passwordmaker



Now the script is very simple and  basic. You can tweak it to meet your organizational requirements and policies. It only requires openssl and gpg as add-on packages which most common linux distro have installed by default.


#!/bin/bash

#  modified  Aug2 2014 rev 1.4
#  ken Felix @ hyperfeed.com
#

#   rev 1.0  JAN08-2007 original
#   rev 1.1 APRIL09-2008 fixed a few else ifs
#   rev 1.1 MAY02-2010  changed date and added the $USER variable
#   rev 1.2 NOV21-2009  changed from unsalted md5 , & to salt-md5
#  rev 1.3 MAY12-2013 increased the salt to 10characters and changed to openssl due to internal 
#  audit
#  rev 1.4 AUG0-2014 included the password matching and more cleanup work due to user failures
#

#  This script helps for building our users radius password. It reads the input from the user
#  It requires the user to generate a 10 letter or more character password string and then we will 

#  hash the string and salt it with a random salt of 10 characters
#


USER=" RADIUS_USER @ hyperfeed dot com "
#


echo "Hello,  new or existing "$USER".  This script will generate your encrypted hash for radius authentication against the IT cisco/juniper/A10/AristaNetwork gear. This will allow you access to the routers, switchs, SLB &  our Juniper m7/Js"


# gather username for the window domain user 
#
echo -n "Enter your username which is the same as your windowslogin named and press <ENTER>: "
read name


#
# gather password

echo -n " Please enter a 10 character  password that and press <ENTER>: "
read  passworda

#
# gather password again for the match

echo
echo -n " Please re-enter your 10 character password again and  press <ENTER>: "
read  passwordb

# random salt variable depends on urandom adjust accordingly to your OS

#
salt=`dd if=/dev/urandom bs=1 count=48  2>/dev/null | base64`
 

# todays date
DATE=`date +%G%m%d%T`

#

# for password length checking
SIZE=${#passworda}





#
# if name was not set exit ( we have to know the username )

if [ -z $name ]

   then

   echo " Please provide a valid username and try again. Good Bye! "
   exit

#
# if password is NOT 10 or more exit


elif [ "$SIZE"  -lt 10 ];

   then

   echo
   echo " Your Password needs to be at least 10 characters or more, including  aA-zZ and 1 number , 1 UPPERCASE and 1 special charcter  ( # $ ! ) "
   echo

   echo "Good Bye!"

#
# if passwords don't match , then exit
 

elif [ $passworda == $passwordb ]; then

  echo " I'm generating your encrypted passwords for the provided username of  $name "
  echo

  echo " please wait "

        (openssl passwd -1 -salt `echo $salt`  $passworda |  gpg -e -r radiusteam@localhost -a  | mail -s "$DATE $name"  radiusadmin )

  echo " "
  echo " "
  echo  " For the username that you  provided <$name> I've created your RADIUS password . The  password will be mail to the radius_admin at radiusadmin@hyperfeed.com ".
  echo " "

  echo " If you have any questions please contact the above email address."
  echo
  echo "!!!!!!!!PLEASE WAIT 24 HOURS FOR NEW PASSWORDS TO BE DEPLOYED!!!!!!!!"
  echo " "
  echo " Thank you and Good Bye!"

elif  [ $passworda != $passwordb ]
  then
   echo " "
   echo " $name  the two passwords doesn't match, please try again. Thanks & GoodBye!"
   exit

else

  echo "Good Bye!"

fi


The radius system admin will decrypted the  password and then install  this radius-user salted+password into  the radius server account db or text file.


e.g ( a typical user account )


"myusernameXYZ SMD5-Password := "$1$IElaqnTN$SmrPwX5hjDh4SAt5eqbAQ1"
 
 
The <radiusadmin> is a mailaliases  that encompass  the radius_systems_admin or other various system admins.

The email would look something like the following that's received at the radiusadmin inbox


All of the radius_administrators have read access to the gpg private-key and can decrypt the message .

Future goals are;

  > To deploy string validation for characters aA-zZ and digits  ( 0-9 ) and i would like to use  a few special characters .  If the user doesn't deploy At least 1 capitalize, 1 digits and 1 special character, than we reject them with a error message echo to the screen

  > And I would like to automate this by dumping the  hash+salted  password directly into a mysql instance via the cli if the user account exists


Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( &  # )=
      @
      /   \

1 comment:

  1. At first glance I potency not say that PasswordWrench is the most simple password manager out there, but once you get it, it totally makes knowing. It’s a new way of managing passwords and one that’s safer than most anything else out there.

    ReplyDelete