Differences

This shows you the differences between two versions of the page.

--- openvpn [2009/02/23 11:47]
a + change PCKS12 password
+++ openvpn [2009/05/25 00:35]
127.0.0.1 external edit
@@ Line 34: / Line 34: @@
         % openssl dhparam -check -text -5 512     -out   dh512.pem
         % openssl dhparam -check -text -5 1024  -out  dh1024.pem
+===== authenticate OpenVPN users against a plain text file =====
+<code bash| >
+#/bin/sh
+###########################################################
+# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
+#
+# This script will authenticate OpenVPN users against
+# a plain text file. The passfile should simply contain
+# one row per user with the username first followed by
+# one or more space(s) or tab(s) and then the password.
+PASSFILE="/etc/openvpn/psw-file"
+LOG_FILE="/var/log/openvpn-password.log"
+TIME_STAMP=`date "+%Y-%m-%d %T"`
+###########################################################
+if [ ! -r "${PASSFILE}" ]; then
+  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
+  exit 1
+fi
+CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
+if [ "${CORRECT_PASSWORD}" = "" ]; then
+  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
+  exit 1
+fi
+if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
+  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
+  exit 0
+fi
+echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
+exit 1
+</code>
@@ Line 44: / Line 82: @@
    openssl pkcs12 -nokeys -clcerts -in default.p12 -out usercert.pem
    openssl pkcs12 -nokeys -cacerts -in default.p12 -out userca.pem
 ==== change PKCS12 password using OpenSSL ====
+FIXME - **not tested!**
    openssl pkcs12 -in old.p12 | openssl pkcs12 -export -out new.p12
@@ Line 57: / Line 98: @@
   - New export password
+FIXME - alternative way
+<code bash| >
+#!/bin/bash
+echo Exporting private KEY
+openssl pkcs12 -nocerts -in $1 -out userkey.pem
+echo Exporting public cert
+openssl pkcs12 -nokeys -clcerts -in $1 -out usercert.pem
+echo Exporting CA Cert
+openssl pkcs12 -nokeys -cacerts -in $1 -out userca.pem
+echo Creating new PKCS12 cert
+openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -certfile userca.pem -name "FOOBAR" -out $2
+</code>