[ale] securid and ppp

Eric Ayers eric.ayers at mindspring.com
Thu Apr 8 07:03:08 EDT 1999


Mark Cantrell wrote:
> 
> I'm needing to dial up to a lan for a ppp session.  But its one of those
> secureid thingies.  So the password changes like every minute.  I'm
> pretty sure its using pap once it has the username and password.  The
> problem is I can't just put the password into a chat script.
> 
> On the evil win machine, it just pops up a terminal window to let me
> enter the username/password then it authenicates just like a normal
> dial-up ppp session would,  and assigns me an ip address.
> 
> Has anyone dialed up using securid with a linux client before?  I guess
> I could use minicom and then start up pppd and set the default route and
> all that stuff, but there must be an easier way.
> 
> thanks
> Mark

Yes, what you need is 'expect' (a language for scripting terminal
sessions built
on TCL).  Expect comes with a sample script
that does SecurID authentication.  Unfortunately, it doesn't make it
into 
the red hat distribution that I can see.  If you are interested, here
is a script that does some strange things, like dial out to a site, fire
up an SSH session through the internet to another machine.  (a customer
has a 
setup where they can SSH out, but not SSH in, so we dial in,
automatically fire
up SSH and then we display a terminal back).  

In this case, the user running the script has to type in the name of the 
display that they want to see the terminal displayed on.

sorry, the script is a little ugly, but it does the job.


#!/usr/bin/expect
#
#
################################################################################
#

################################################################################
#
#
send_user "Starting PPP to My Favorite Site\n"

# Read parameters from the command line
set modem     "[lindex $argv 0]"
set localip   "[lindex $argv 1]"
set remoteip  "[lindex $argv 2]"
set to_bill   "[lindex $argv 3]"                            


#
# Prompt the user to enter the name of the machine for display
#
set timeout 180
send_user ">>> Enter the name of the machine to DISPLAY (your
xterminal):\n"

set user_xterm ""

expect_user {
        -re "(.*)\n" {
                set user_xterm $expect_out(1,string)
                if  { "$user_xterm" == "" } {
                        send_user "*** Enter a non blank string:\n"
                        exp_continue
                }
                send_user ">>> got $expect_out(1,string)\n"
        }
        timeout
        {
                send_user "*** Timeout waiting for user to enter xterm
name\n"
                exit 1
        }
}

send_user "menu_screen will be sent to  $user_xterm\n"
send_user "modem=$modem localip=$localip remoteip=$remoteip\n"

#
# Other parameters specific to this script
#
#
set dialup "1-999-999-9999#,,,$to_bill"
set timeout   180
set user      "myacct"
set password  "mypasswd"



# The console we're dialing into is set at 9600 bps
set speed     9600

# Linux uses 38400 to mean 'as high as set with setserial'
# See /etc/rc.d/rc.local

if [catch {spawn -noecho -open [open $modem "r+"]} mssg] {
    send_user "Error on spawn: $mssg"
    exit 1
}

stty $speed crtscts

# NOTE: The modem we are calling expects 7bit - Even parity  -  HP
console port
# strip off parity
parity 0

send "ATZ\r"

sleep 1
set timeout 5
expect {
        -re ".*OK.*" {
            send_user ">>> Got OK\n"
# gobble up the rest of the line
            expect -re ".*" { }
        }

        timeout {
            send "ATZ\r"
            exp_continue
        }
}

send "atdt$dialup\r"
set timeout 120

set still_connecting 1

expect {
        -re ".*CONNECT.*" {
            send_user ">>> Got CONNECT\n"
            sleep 2
            send "\r"
# Go to next expect clause
        }
        -re ".*NO.*CARRIER" {
                send_user "*** No Carrier - Failed to Connect,
exiting...\n"
                exit 1
        }
        -re ".*NO.*DIAL.*TONE" {
                send_user "*** No Dialtone - Failed to Connect,
exiting...\n"
                exit 1
        }
        -re ".*VOICE" {
                send_user "*** VOICE - Failed to Connect, exiting...\n"
                exit 1
        }
        -re ".*BUSY.*" {
            send_user "*** Line is BUSY\n"
            exit 1
        }                                                              
       }
        timeout {
            puts stdout "*** Timeout ....."
            exit 1
        }
}

set timeout 5
set counter 0
set display 8

expect {
        -re ".*ogin:.*" {
            send_user ">>> Sending Login Name\n"
            send "$user\r"
            exp_continue
        }
        -re ".*assword:" {
            send_user ">>> Sending Password\n"
            send "$password\r"
            exp_continue
        }
        -re ".*prompt>" {
            send_user ">>> Starting ssh command\n"
            set localport  [ expr 6000 + $display ]
            send "ssh -C 123.45.6.7  -f -L $localport:$user_xterm:6000
/usr/lo
cal/bin/myscript MyLink $user_xterm $localport \r"
        }
       timeout {
            incr counter
            sleep 1
            if  { $counter > 8 } {
                puts "****Didn't get login prompt"
                exit 1;
            }
            send_user ">>> TIMEOUT: Sending another Carriage Return\n"
            send "\r"
            exp_continue
        }
        -re ".*NO.*CARRIER" {
                send_user "*** Failed to Connect, exiting...\n"
                exit 1
        }
}

send_user ">>> Waiting for ssh passphrase prompt\n"

set timeout 60

#
# Wait for a response from SSH.  It should ask for the passphrase.
# Since what we really want is a window to pop up, we must make sure
# that the redirect part of the command is working.  If someone has
# dialed out earlier and already used port 6008, we can detect an
# error message from ssh and switch to a new port.
#
# After the SSH port forwarding works, we'll crank up a menu screen
# and an rxvt session.  Note that they have only a few user licenses,
# and maybe not enough ptys configured at teligent, so sometimes the   

# rxvt will pop up and immediately disappear.
#
expect {
        -re ".*Are you sure you want to continue connecting.*" {
# SSH might prompt you for a confirmation on the host key
                send_user ">>> Answering YES to host key prompt\n"
                exp_continue
        }
        -re ".*Enter passphrase for RSA key.*" {
# SSH password prompt
# send the pass phrase, then start a menu screen
                send_user ">>> Sent super secret pass phrase\n"
                send "supersecret\r"
                sleep 2
                exp_continue
        }
        -re ".*Address already in use.*myprompt>.*" {
# This will happen on repeated dialouts where the sleep is still
running,
# so try another display!
                incr display
                set localport  [ expr 6000 + $display ]
                send "ssh -C 123.45.6.7  -f -L
$localport:$user_xterm:6000 /us
r/local/bin/myscript $user_xterm $localport \r"
                send_user ">>> restarted ssh command to display
$display\n"
# gobble up the next command prompt!
                exp_continue
        }
        -re ".*he0us001>.*" {
                send_user ">>> Started ssh command\n"
                send "DISPLAY=localhost:$display ; export DISPLAY\r"
                send "menu_screen &\r"
                send "nohup rxvt -T MyTitle &\r"
                send_user ">>> Started menu screen and rxvt via the
internet bac
k to $user_xterm\n"
                send "exit\r"
                sleep 4
        }
        -re "Usage:.*" {
                send_user "*** Whooops! ssh command line incorrect.\n"
                exit 1
        }
       timeout {
                send_user "*** Timeout...\n"
                exit 1
        }
}

puts stdout "Dialout Successful\n\n"

#
# Disconnect - menu should now be running
#
disconnect


#
# In some cases, the script stops and is replaced by ther overlay
# (in this case, running pppd)
#
overlay -0 $spawn_id -1 $spawn_id pppd $modem $speed lock crtscts modem
$localip
:$remoteip

#
# End
#          
#
# End
#






More information about the Ale mailing list