Here's a bash-script that can be tweak'd to generate various radius passwords types. When I first built this script many years back, my goals where to have a hands-off password generator for dumping users accounts into a radius user db file.
1st here's the various types of radius passwords that most radius servers supports.
We will generate a simple salted MD5 password that would be applied to our radius servers user_db using a salt. The script is an replacement for the local-user-shell and is launched in the user directory with a limited read/write/execute permissions.
For our radius password creator, we have a default ssh-login and I always like to go the extra steps and prevent SCP access if available on the unix server.
user=passwordmaker
password=M@keP@ss!
So in our process, the radius-admin mails the
enrollee via his/her email with the account details after the user account has been created.
Than the user at convenience will ssh into the server at ip_address
a.b.c.d with the above username+ password and make his/her password. This password will be mailed to the radius server at a collection inbox securely.
Since the password was made with 10 characters and a equal random salt size, this generate a very hard to hack or & protections from brute-force/hybrid attacks.
Here's the
/etc/password details for the user
passwordmaker
Now the script is very simple and basic. You can tweak it to meet your organizational requirements and policies. It only requires
openssl and
gpg as add-on packages which most common linux distro have installed by default.
#!/bin/bash
#
# modified Aug2 2014 rev 1.4
# ken Felix @ hyperfeed.com
#
# rev 1.0 JAN08-2007 original
# rev 1.1 APRIL09-2008 fixed a few else ifs
# rev 1.1 MAY02-2010 changed date and added the $USER variable
# rev 1.2 NOV21-2009 changed from unsalted md5 , & to salt-md5
# rev 1.3 MAY12-2013 increased the salt to 10characters and changed to openssl due to internal
# audit
# rev 1.4 AUG0-2014 included the password matching and more cleanup work due to user failures
#
#
# This script helps for building our users radius password. It reads the input from the user
# It requires the user to generate a 10 letter or more character password string and then we will
# hash the string and salt it with a random salt of 10 characters
#
USER=" RADIUS_USER @ hyperfeed dot com "
#
echo "Hello, new or existing "$USER". This script will generate your encrypted hash for radius authentication against the IT cisco/juniper/A10/AristaNetwork gear. This will allow you access to the routers, switchs, SLB & our Juniper m7/Js"
# gather username for the window domain user
#
echo -n "Enter your username which is the same as your windowslogin named and press <ENTER>: "
read name
#
# gather password
echo -n " Please enter a 10 character password that and press <ENTER>: "
read passworda
#
# gather password again for the match
echo
echo -n " Please re-enter your 10 character password again and press <ENTER>: "
read passwordb
# random salt variable depends on urandom adjust accordingly to your OS
#
salt=`dd if=/dev/urandom bs=1 count=48 2>/dev/null | base64`
# todays date
DATE=`date +%G%m%d%T`
#
# for password length checking
SIZE=${#passworda}
#
# if name was not set exit ( we have to know the username )
if [ -z $name ]
then
echo " Please provide a valid username and try again. Good Bye! "
exit
#
# if password is NOT 10 or more exit
elif [ "$SIZE" -lt 10 ];
then
echo
echo " Your Password needs to be at least 10 characters or more, including aA-zZ and 1 number , 1 UPPERCASE and 1 special charcter ( # $ ! ) "
echo
echo "Good Bye!"
#
# if passwords don't match , then exit
elif [ $passworda == $passwordb ]; then
echo " I'm generating your encrypted passwords for the provided username of $name "
echo
echo " please wait "
(openssl passwd -1 -salt `echo $salt` $passworda | gpg -e -r radiusteam@localhost -a | mail -s "$DATE $name" radiusadmin )
echo " "
echo " "
echo " For the username that you provided <$name> I've created your RADIUS password . The password will be mail to the radius_admin at radiusadmin@hyperfeed.com ".
echo " "
echo " If you have any questions please contact the above email address."
echo
echo "!!!!!!!!PLEASE WAIT 24 HOURS FOR NEW PASSWORDS TO BE DEPLOYED!!!!!!!!"
echo " "
echo " Thank you and Good Bye!"
elif [ $passworda != $passwordb ]
then
echo " "
echo " $name the two passwords doesn't match, please try again. Thanks & GoodBye!"
exit
else
echo "Good Bye!"
fi
The radius system admin will decrypted the password and then install this radius-user salted+password into the radius server account db or text file.
e.g (
a typical user account )
"myusernameXYZ SMD5-Password := "$1$IElaqnTN$SmrPwX5hjDh4SAt5eqbAQ1"
The <radiusadmin> is a mailaliases that encompass the radius_systems_admin or other various system admins.
The email would look something like the following that's received at the radiusadmin inbox
All of the radius_administrators have read access to the gpg private-key and can decrypt the message .
Future goals are;
>
To deploy string validation for characters aA-zZ and digits ( 0-9 ) and i would like to use a few special characters . If the user doesn't deploy At least 1 capitalize, 1 digits and 1 special character, than we reject them with a error message echo to the screen
>
And I would like to automate this by dumping the hash+salted password directly into a mysql instance via the cli if the user account exists
Ken Felix
Freelance Network/Security Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( & # )=
@
/ \
