diff options
Diffstat (limited to 'openvpn/sample/sample-scripts')
| -rwxr-xr-x | openvpn/sample/sample-scripts/auth-pam.pl | 97 | ||||
| -rwxr-xr-x | openvpn/sample/sample-scripts/bridge-start | 39 | ||||
| -rwxr-xr-x | openvpn/sample/sample-scripts/bridge-stop | 18 | ||||
| -rwxr-xr-x | openvpn/sample/sample-scripts/ucn.pl | 11 | ||||
| -rwxr-xr-x | openvpn/sample/sample-scripts/verify-cn | 64 | 
5 files changed, 0 insertions, 229 deletions
| diff --git a/openvpn/sample/sample-scripts/auth-pam.pl b/openvpn/sample/sample-scripts/auth-pam.pl deleted file mode 100755 index 5333badc..00000000 --- a/openvpn/sample/sample-scripts/auth-pam.pl +++ /dev/null @@ -1,97 +0,0 @@ -#!/usr/bin/perl -t - -# OpenVPN PAM AUTHENTICATON -#   This script can be used to add PAM-based authentication -#   to OpenVPN 2.0.  The OpenVPN client must provide -#   a username/password, using the --auth-user-pass directive. -#   The OpenVPN server should specify --auth-user-pass-verify -#   with this script as the argument and the 'via-file' method -#   specified.  The server can also optionally specify -#   --client-cert-not-required and/or --username-as-common-name. - -# SCRIPT OPERATION -#   Return success or failure status based on whether or not a -#   given username/password authenticates using PAM. -#   Caller should write username/password as two lines in a file -#   which is passed to this script as a command line argument. - -# CAVEATS -#   * Requires Authen::PAM module, which may also -#     require the pam-devel package. -#   * May need to be run as root in order to -#     access username/password file. - -# NOTES -#   * This script is provided mostly as a demonstration of the -#     --auth-user-pass-verify script capability in OpenVPN. -#     For real world usage, see the auth-pam module in the plugin -#     folder. - -use Authen::PAM; -use POSIX; - -# This "conversation function" will pass -# $password to PAM when it asks for it. - -sub my_conv_func { -    my @res; -    while ( @_ ) { -        my $code = shift; -        my $msg = shift; -        my $ans = ""; - -        $ans = $password if $msg =~ /[Pp]assword/; - -        push @res, (PAM_SUCCESS(),$ans); -    } -    push @res, PAM_SUCCESS(); -    return @res; -} - -# Identify service type to PAM -$service = "login"; - -# Get username/password from file - -if ($ARG = shift @ARGV) { -    if (!open (UPFILE, "<$ARG")) { -	print "Could not open username/password file: $ARG\n"; -	exit 1; -    } -} else { -    print "No username/password file specified on command line\n"; -    exit 1; -} - -$username = <UPFILE>; -$password = <UPFILE>; - -if (!$username || !$password) { -    print "Username/password not found in file: $ARG\n"; -    exit 1; -} - -chomp $username; -chomp $password; - -close (UPFILE); - -# Initialize PAM object - -if (!ref($pamh = new Authen::PAM($service, $username, \&my_conv_func))) { -    print "Authen::PAM init failed\n"; -    exit 1; -} - -# Authenticate with PAM - -$res = $pamh->pam_authenticate; - -# Return success or failure - -if ($res == PAM_SUCCESS()) { -    exit 0; -} else { -    print "Auth '$username' failed, PAM said: ", $pamh->pam_strerror($res), "\n"; -    exit 1; -} diff --git a/openvpn/sample/sample-scripts/bridge-start b/openvpn/sample/sample-scripts/bridge-start deleted file mode 100755 index d20a2603..00000000 --- a/openvpn/sample/sample-scripts/bridge-start +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh - -################################# -# Set up Ethernet bridge on Linux -# Requires: bridge-utils -################################# - -# Define Bridge Interface -br="br0" - -# Define list of TAP interfaces to be bridged, -# for example tap="tap0 tap1 tap2". -tap="tap0" - -# Define physical ethernet interface to be bridged -# with TAP interface(s) above. -eth="eth0" -eth_ip="192.168.8.4" -eth_netmask="255.255.255.0" -eth_broadcast="192.168.8.255" - -for t in $tap; do -    openvpn --mktun --dev $t -done - -brctl addbr $br -brctl addif $br $eth - -for t in $tap; do -    brctl addif $br $t -done - -for t in $tap; do -    ifconfig $t 0.0.0.0 promisc up -done - -ifconfig $eth 0.0.0.0 promisc up - -ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast diff --git a/openvpn/sample/sample-scripts/bridge-stop b/openvpn/sample/sample-scripts/bridge-stop deleted file mode 100755 index 81927794..00000000 --- a/openvpn/sample/sample-scripts/bridge-stop +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -#################################### -# Tear Down Ethernet bridge on Linux -#################################### - -# Define Bridge Interface -br="br0" - -# Define list of TAP interfaces to be bridged together -tap="tap0" - -ifconfig $br down -brctl delbr $br - -for t in $tap; do -    openvpn --rmtun --dev $t -done diff --git a/openvpn/sample/sample-scripts/ucn.pl b/openvpn/sample/sample-scripts/ucn.pl deleted file mode 100755 index 6d708f82..00000000 --- a/openvpn/sample/sample-scripts/ucn.pl +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/perl -t - -# OpenVPN --auth-user-pass-verify script. -# Only authenticate if username equals common_name. -# In OpenVPN config file: -#   auth-user-pass-verify ./ucn.pl via-env - -$username = $ENV{'username'}; -$common_name = $ENV{'common_name'}; - -exit !(length($username) > 0 && length($common_name) > 0 && $username eq $common_name); diff --git a/openvpn/sample/sample-scripts/verify-cn b/openvpn/sample/sample-scripts/verify-cn deleted file mode 100755 index 6e747ef1..00000000 --- a/openvpn/sample/sample-scripts/verify-cn +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/perl - -# verify-cn -- a sample OpenVPN tls-verify script -# -# Return 0 if cn matches the common name component of -# subject, 1 otherwise. -# -# For example in OpenVPN, you could use the directive: -# -#   tls-verify "./verify-cn /etc/openvpn/allowed_clients" -# -# This would cause the connection to be dropped unless -# the client common name is listed on a line in the -# allowed_clients file. - -die "usage: verify-cn cnfile certificate_depth subject" if (@ARGV != 3); - -# Parse out arguments: -#   cnfile -- The file containing the list of common names, one per -#             line, which the client is required to have, -#             taken from the argument to the tls-verify directive -#             in the OpenVPN config file. -#             The file can have blank lines and comment lines that begin -#             with the # character. -#   depth  -- The current certificate chain depth.  In a typical -#             bi-level chain, the root certificate will be at level -#             1 and the client certificate will be at level 0. -#             This script will be called separately for each level. -#   x509   -- the X509 subject string as extracted by OpenVPN from -#             the client's provided certificate. -($cnfile, $depth, $x509) = @ARGV; - -if ($depth == 0) { -    # If depth is zero, we know that this is the final -    # certificate in the chain (i.e. the client certificate), -    # and the one we are interested in examining. -    # If so, parse out the common name substring in -    # the X509 subject string. - -    if ($x509 =~ / CN=([^,]+)/) { -        $cn = $1; -	# Accept the connection if the X509 common name -	# string matches the passed cn argument. -	open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates! -        while (defined($line = <FH>)) { -	    if ($line !~ /^[[:space:]]*(#|$)/o) { -		chop($line); -		if ($line eq $cn) { -		    exit 0; -		} -	    } -	} -	close(FH); -    } - -    # Authentication failed -- Either we could not parse -    # the X509 subject string, or the common name in the -    # subject string didn't match the passed cn argument. -    exit 1; -} - -# If depth is nonzero, tell OpenVPN to continue processing -# the certificate chain. -exit 0; | 
