2011-12-07

sqlite authentication plug-in for OpenVPN

By Taro Yamazaki  |  21:30

この記事はこちらの記事の簡易英語版です

This is an authentication plug-in for OpenVPN. It uses sqlite database for ID/Password authentication. It is python script, so you can modify this script as necessary.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.

Usage

Setting up the credentials database
You have to create sqlite database that stores the login credentials. In the sample database, there is a table that is called "Users". This table contains "UserId" field, "Password" field and "Active" field. You can modify auth-sqlite.py script to use other table and/or fields.

UserIdPassword Active
gonbenaisho#00231
jdoeDa-reMO_shiRANA11
harukaQueenS#1*21
hidemonkey%55!0
  • You need to store the hashed password instead of plain password. We use RIPEMD160 as message digest algorithm.
Place the plug-in script and database file
Place auth-sqlite.py and vpnusers.db(you may change the filename) in the appropriate directory. Usually you can place it in /etc/openvpn. Make sure this script has a execute permission.
Edit the server configuration file
Add these directives to your OpenVPN server configuration file. You may remove client-cert-not-required directive.
script-security 2
client-cert-not-required
username-as-common-name
setenv auth_sqlite_db /etc/openvpn/vpnusers.db
auth-user-pass-verify /etc/openvpn/auth-sqlite.py via-file
Please change the path in setenv directive and auth-user-pass-verify directive as needed.
Connect
Try to connect to the server. Before you connect to the server, you have to add auth-user-pass directive to your client configuration file. You can use  vpnux Connector Lite as OpenVPN client.

Source code : auth-sqlite.py

#!/usr/bin/python
import os
import sys
import hashlib
try:
    import sqlite3
except:
    from pysqlite2 import dbapi2 as sqlite3

## Read settings from config
sqlite_file = os.environ["auth_sqlite_db"]
print "[auth-sqlite] sqlite_file : " + sqlite_file

## Read username and password from via-file
filename = sys.argv[1]
print "[auth-sqlite] filename : " + filename
fp = open(filename)
data = fp.readlines()
fp.close()
username = data[0].rstrip()
password = data[1].rstrip()
print "[auth-sqlite] username : " + username
print "[auth-sqlite] password : " + password
h = hashlib.new("ripemd160")
h.update(password)
hashedPassword = h.hexdigest()
print "[auth-sqlite] hashedPassword : " + hashedPassword

## Connect and fetch from database
vals = (username, hashedPassword)
conn = sqlite3.connect(sqlite_file)
cur = conn.cursor()
cur.execute('SELECT count(*) FROM Users WHERE UserId = ? AND Password = ? AND Active = 1', vals)
row = cur.fetchone();
targetRows = row[0]
conn.close()

print targetRows

## Return result
if(targetRows == 1):
 print "[auth-sqlite] Authentication succeed."
 sys.exit(0)
else:
 print "[auth-sqlite] Authentication failed."
 sys.exit(1)

sys.exit(1)

Author: Taro Yamazaki

© 2015 yamata::memo | Distributed By My Blogger Themes | Created By BloggerTheme9
TOP