I am very new to bash scripting, so I apologize in advance for being vague. I have a varied number of OpenVPN configuration profiles I need to connect too on a daily basis, and would like to make this a little easier by introducing automation.
So I am able to get to the authorization part of the process and that's where I get stuck:
Your IP is xx.xx.xx.xx
Mon Oct 13 09:57:14 2014 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Enter Auth Username:
I would like to know how I can use bash to automatically log on using my username and password. So the script would populate and confirm the 2 authorization fields.
Enter Auth Username: username
Enter Auth Password: password
Then once populated and confirmed, I will be connected to the VPN.
I appreciate any help, and please let me know if more information is required.
My current script I am working with is this:
#!/bin/sh
expect_path="$(which expect)"
"$expect_path" "$0" "$#"
#!/bin/usr/expect -f
spawn sudo openvpn /root/Desktop/my.conf #Path to Openvpn config file (.ovpn)
expect -r "\[sudo\] .*\: " {
send "my_ownpassword\n"
}
expect "Enter Auth Username:" {
send "my_user\n"
}
expect "Enter Auth Password:" {
send "my_vpnpassword\n"
}
interact
Current error I am getting:
can't read "(which expect)": no such variable
while executing
"expect_path="$(which expect)""
(file "./vpn.sh" line 2)
./vpn.sh: 7: ./vpn.sh: spawn: not found
expect: invalid option -- 'r'
usage: expect [-div] [-c cmds] [[-f] cmdfile] [args]
./vpn.sh: 9: ./vpn.sh: send: not found
./vpn.sh: 10: ./vpn.sh: Syntax error: "}" unexpected
See https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html for documentation on the TCP protocol intended for use in programmatically controlling an OpenVPN instance.
Use from bash might look something like the following:
#!/bin/bash
# the above shebang is necessary; much of this will not work with /bin/sh
# also, /dev/tcp support is optional functionality at compile time; be sure your bash
# supports it, or you might need to rewrite using netcat.
# Assuming you start OpenVPN with at least the options:
# --management 127.0.0.1 3030
# --management-query-passwords
# connect to OpenVPN management socket on FD 3
exec 3<>/dev/tcp/127.0.0.1/3030
pk_password=secret1 # private key password
username=squirrel # username
password=secret2 # auth password paired with username
# read anything it sends
while read -r -u 3; do
# if it asks for a password, then give it one
if [[ $REPLY = ">PASSWORD: Need 'Private Key' password" ]]; then
echo 'password "Private Key" '"$pk_password" >&3
elif [[ $REPLY = ">PASSWORD: Need 'Auth' username/password" ]]; then
echo 'username "Auth" '"$username" >&3
echo 'password "Auth" '"$password" >&3
else
echo "Ignoring message: $REPLY" >&2
fi
done
All that said -- storing usernames and passwords in plaintext is a horrible, horrible idea. If you actually want your VPN to be secure, and you don't have a user available to enter a password that's something they know (vs something they have stored on the computer), you should be using strong private key auth -- ideally, with that key stored on a hardware token that doesn't allow it to be read out, not a (weak, trivially stolen) password.
Of course, given as this question presupposes that you're willing to do silly, insecure things, you can also make this easier on yourself:
Recompile OpenVPN with the ENABLE_PASSWORD_SAVE flag set (configure --enable-password-save on UNIX), and then --auth-user-pass in your config file will accept a filename as an optional argument giving the location on disk where username and password are stored.
That's actually more secure than the management-interface approach, since it means you aren't giving out your password to any other user who sets up a service on port 3030 pretending to be OpenVPN's management interface.
working for me on Kali 2020.2 simple and easy.
#!/usr/bin/expect -f
# automatic openvpn login
spawn sudo openvpn FILE.ovpn
# script will enter username/password automatic.
expect "Enter Auth Username:"
send "USERNAME\n"
"Enter Auth Password:"
send "PASSWORD\n"
interact
end script
save and run file in map where FILE.ovpn is stored.
Could not get your code to work due, I edited it a little and it works fine now...
#!/bin/bash
exec 3<>/dev/tcp/127.0.0.1/3030
username=xxxxxxxxx # username
password=yyyyyyyyy # auth password paired with username
# read anything it sends
while read -r -u 3; do
if [[ $(echo $REPLY | grep ">PASSWORD:Need 'Auth' username/password") ]]; then
echo "username \"Auth\" $username" >&3
echo "password \"Auth\" $password" >&3
else
echo "Ignoring message: $REPLY" >&2
fi
done
Related
I have the following script. My requirement is if I give the username and IP address the script should check whether the host server has passwordless connectivity with the given server.
script.sh
#!/bin/sh
echo "Enter username"
read user
echo "Enter IP address"
read ip
echo "Enter condition"
read conditon
if [ $condition == "test" ]
then
ssh -o 'PreferredAuthentications=publickey' $user#$ip "echo"
fi
The above script checks for passwordless connectivity and exits. I want the script to return "success" if the connection is there or "No connection" if there is no passwordless connection between the hosts.
Thanks.
You can give an extra option to ssh that sets it in BatchMode
BatchMode
If set to yes, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password. The argument must be yes or no (the default).
source: man sshconfig
The following line will return the requested error code
ssh -oBatchMode=yes user#server echo > /dev/null 2>&1
This will return 0 if it can log in and will return a non-zero value (255) if it fails to login.
So you could do something like:
ssh -oBathMode=yes "${user}#${server}" echo > /dev/null 2>&1 && echo "Success" || echo "No Connection"
Or you could even let the server answer Success as
ssh -oBathMode=yes "${user}#${server}" echo Success 2>/dev/null || echo "No Connection"
Prerequisites
Access to command line/terminal window
User with sudo or root privileges
A local server & a remote server
SSH access to a remote server via command line/terminal window
Before You Start
Check for existing SSH Keys, using the below command
ls -al ~/.ssh/id_*.pub
If the output tells you there are no such files, move on to the next step, which shows you how to generate SSH keys.
Step 1: Generate SSH Key Pair
ssh-keygen -t rsa -b 4096 -C "your_email#domain.com"
Next, type in the path where you want to store the keys or hit
Enter to accept the default path.
It also asks you to set a passphrase, this is to ensure more secure connection. Note that, the Passphrase may be interrupted when you set up automated processes. Else, one can just press Enter to skip this step.
The output shows you the identification & about where is your public key stored along with the key fingerprints.
Verify your newly created SSH key pair, using the below command.
ls -al ~/.ssh/id_*.pub
Step 2: Uploading the Public Key to Remote Server
There are 2 options, that one can adopt:
Using ssh-copy-id Command
Using cat Command
Using ssh-copy-id command
ssh-copy-ide [remote_username]#[server_ip_address]
Using cat Command
ssh [remote_username]#[server_ip_address] mkdir -p .ssh
Type in the password for remote server, and then cat to view the contents of the stored Public Key
cat .ssh/id_rsa.pub | ssh [remote_username]#[server_ip_address] 'cat >> .ssh/authorized_keys'
Step 3: Log in to Server Without Password
Final step is to check whether the setup works fine or not.
ssh [remote_username]#[server_ip_address]
Troubleshooting, if found any errors
If you are still prompted for a password after going through all the steps, start by editing file permissions on the remote server.
Set permissions 700 for the .ssh directory.
Set permissions 640 for the .ssh/authorized_keys directory.
Edit file permissions using this command:
ssh [remote_username]#[server_ip_address] "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"
References:
(https://stackoverflow.com/a/52744882/18154805)
I'm new to bash and was tasked with scripting a check for a compliance process.
From bash (or if python is better), I need to script an ssh connection from within the host running the script.
For example:
ssh -l testaccount localhost
But I need to run this 52 times so that it is trapped by an IPS.
When running this string I am prompted for a password and I have to hit enter in order to make the script complete.
Is there a way to include a password or carriage return to act as manual intervention so that I do not have to hit enter each time?
Here's a sample of what I was able to get working, but it only sequenced 30 attempts:
#!/bin/bash
i=0
while [$i -lt 52]
do
echo | ssh -l testaccount localhost&
i=$[$i+1]
done
Fail2ban configuration and good practice :
//count how password as root failed
cat /var/log/secure.1 | grep "Failed password for root" --count
//check the list for analyst
cat /var/log/secure.1 | grep "Failed password for root"
//setting fail2ban copy for local configuration
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
//open the configuration file and edit some secu
sudo nano /etc/fail2ban/jail.local
maxfailures = 5 //here you have to set to 56 as you said
bantime = 600 //here time during second try login
ignoreip = 192.168.0.0/16 //add the lan and ip online static
[mail]
enabled = false //true if you want to alert you IP blacklisted banned ...
//log traffic
cat /var/log/fail2ban.log
[ssh]
//network protocole protection & supervision
enabled = true
port = ssh,sftp
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
//enable fail2ban
systemctl enable fail2ban
//start fail2ban
systemctl start fail2ban
NOTE: While expect comes in its own package, expect was already in my SLES base installs ... don't know if this would be true for RHEL, too ... ?
Take a look at this answer on how to automate SSH with a password.
I'm thinking you could probably re-use the expect script from that post to simulate a single failed login, eg:
either set pass to a bogus value or don't set at all
if you don't set pass then remove the send -- "$pass\r" clause
if the remote system re-prompts X times for a password then provide multiple copies of the expect/send commands (a few extras will generate some expect related errors but still cause a failed ssh login)
For one of my remote hosts I'm prompted 3 times to enter a password before I'm returned to the command prompt.
I whipped up the following test:
$ cat sshtest
#!/usr/bin/expect -f
set pass xyz
set server myremotehost
set name bob
spawn ssh $name#$server
match_max 100000
expect "*?assword:*"
send -- "\r"
expect "*?assword:*"
send -- "\r"
expect "*?assword:*"
send -- "\r"
expect "*?assword:*"
send -- "\r"
expect "*?assword:*"
send -- "\r"
interact
And the results of running the script:
$ sshtest
spawn ssh bob#myremotehost
Password:
Password:
Password:
Permission denied (publickey,keyboard-interactive).
send: spawn id exp4 not open
while executing
"send -- "\r""
(file "sshtest" line 16)
If you don't have enough expect/send pairs then you'll be left stranded with a Password: prompt, so I added a few extra expect/send pairs, which in turn generated those last 4 lines of the output. [I don't use expect so there may be a more graceful way to do this ... ymmv.]
Obviously your main script could call this script and place said call in the background, and do whatever you want with the output (>/dev/null 2>&1 ??)
I also verified on the remote host that the failed logins were logged in /var/log/warn and /var/log/messages.
We currently have several users that are using the admin user when logging into a server via SSH. They all have their own users but unfortunately they still occasionally use the admin one. We can lock this down of course and take action to make sure that user is never used, but I'm looking to see if there is a way to force each login to enter a reason why they are using that user, before they can login and access the server whenever they use the admin user.
This way we can have an easy way to compare access log files with employee names and the reason why they are using that user.
Any thoughts?
Here's what I would do.
Register everyone's ssh public key into admin user's authorized_keys. In each entry, set the environment EMPLOYEE to the employeename. This will require that PermitUserEnviroment be set to yes in /etc/ssh/sshd_config. A sample entry should look like below.
environment="EMPLOYEE=employee1" ssh-rsa AAAAB3NzaC1y.....EU88ovYKg4GfclWGCFYTuw8==
Now that we have an environment variable named EMPLOYEE, we can write a simple script to ask for the reason.
Create a file /etc/profile.d/reason.sh. The file does not need to be executable as it will be sourced.
if [[ $(whoami) = "admin" ]]; then
read -p "Please specify the reason for logging in as $USER user: " reason
if [ -z "$reason" ]; then
logout
fi
fi
Now you have $EMPLOYEE and $reason to log.
Here's a thought
#!/bin/bash
# if the user tries Ctrl+C to avoid this check
trap INT no_shell_for_you
no_shell_for_you() { exec /bin/false; }
read -p "Your username please: " username
if getent password "$username" >/dev/null 2>&1; then
echo "Welcome, $username"
# log $username somewhere
exec /bin/bash -l
else
no_shell_for_you
fi
Save that as ~admin_user/bin/get_real_user.sh
Add /full/path/to/admin_user/bin/get_real_user.sh to /etc/shells
Do sudo chsh -s /full/path/to/admin_user/bin/get_real_user.sh admin_user
This is untested. Test thoroughly before step 3.
I want to created .sh file
// Tried to connect to ftp server
ftp name_of_server
//input user name
username
//input password
password
link given below
https://github.com/prokid221/shell-programing.git
Instead of login, it again asked to enter username and password
can any one help with this problem?
If you only need file transfers, you could use curl.
download a file:
curl -O -u user:password ftp://example.com/some-file
upload a file:
curl -T some-file -u user:password ftp://example.com
Note: This method may result in your credentials being saved in your command history.
The best solution is to look at your ftp command manual. It probably provides command line flags or can use environment variables to allow you to specify username and password.
If there is no such thing, an alternate way is to feed ftp standard input. I guess this is what you try to do, but instead here is what your script does:
Run ftp and wait for the command to return. That's where ftp asks about username.
Once ftp returned, run a command named after the username. There is probably no command of that name so it will complain about it.
Then, run a command named after the password. It will fail too, but depending on the special characters in the password, it could become a disaster :-)
So, to really feed stdin, you can use printf(1):
printf "username\npassword\n" | ftp name_of_website
Edit: Another way I forgot is to put those informations in the URL: ftp://username:password#name_of_website.
Try :
#!/bin/sh
HOST='your.ftp.server.net'
USER='yourid'
PASSWD='yourpw'
FILE='file.txt'
ftp -n $HOST <<END_SCRIPT
quote USER $USER
quote PASS $PASSWD
#put $FILE
#quit
END_SCRIPT
exit 0
If you want to provide hostname from outside the script as commandline, then you can use,
HOST = $1 ,
So if you scriptname is serverftp.sh, you would provide hostname as;
serverftp.sh <ftp_server_name>
how about use expect in shell script?
#!/bin/sh
SERVER="example.com"
ID="toor"
PASSWD="secret"
expect <<EOF
spawn ftp $SERVER
expect ": "
send "$ID\r"
expect "Password:"
send "$PASSWD\r"
expect "ftp>"
send "ls\r
expect "ftp>"
send "quit\r
interact
EOF
I had made a script that allows ftp login.But I dont know how to add password for the user
#!/bin/bash
if grep -q $1 "/opt/proftpd.conf"; then
echo "$1 is an ftp user"
HOST='192.168.1.212'
USER=''$1''
FILE=''$2''
ftp -n -v $HOST <<END_SCRIPT
quote USER $USER
put $FILE
quit
END_SCRIPT
ls -la /home/$1
exit 0
else
echo "$1 is not an ftp user"
fi
exit 0
How can I add the user password for ftpuser?...
An example:
#!/bin/bash
ftp_host="192.168.1.212"
ftp_user="$1"
ftp_file="$2"
read -s -p "Enter password for user ${ftp_user}: " ftp_pass
ftp -n -v ${ftp_host} << EOF
quote USER ${ftp_user}
quote pass ${ftp_pass}
bin
put ${ftp_file}
EOF
It depends on the ftp version.
Sometime versions allow to give user and password together with host name:
ftp://[user[:password]#]host[:port]/path
There are also two ftp commands that allow to pass credentials (man ftp):
account [passwd]
Supply a supplemental password required by a remote system
for access to resources once a login has been successfully
completed. If no argument is included, the user will be
prompted for an account password in a non-echoing input mode.
user user-name [password] [account]
Identify yourself to the remote FTP server. If the password
is not specified and the server requires it, ftp will prompt
the user for it (after disabling local echo). If an account
field is not specified, and the FTP server requires it, the
user will be prompted for it. If an account field is speci-
fied, an account command will be relayed to the remote server
after the login sequence is completed if the remote server
did not require it for logging in. Unless ftp is invoked
with "auto-login" disabled, this process is done automati-
cally on initial connection to the FTP server.