summaryrefslogtreecommitdiff
path: root/sample-scripts
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2012-11-05 16:28:09 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2012-11-05 16:28:09 +0100
commit8dd0350e1607aa30f7a043c8d5ec7a7eeb874115 (patch)
tree566d0620eb693320cb121dfd93a5675fa704a30b /sample-scripts
parent349cfa7acb95abe865209a28e417ec74b56f9bba (diff)
Imported Upstream version 2.3_rc1
Diffstat (limited to 'sample-scripts')
-rwxr-xr-xsample-scripts/auth-pam.pl97
-rwxr-xr-xsample-scripts/bridge-start39
-rwxr-xr-xsample-scripts/bridge-stop18
-rwxr-xr-xsample-scripts/openvpn.init244
-rwxr-xr-xsample-scripts/ucn.pl11
-rwxr-xr-xsample-scripts/verify-cn64
6 files changed, 0 insertions, 473 deletions
diff --git a/sample-scripts/auth-pam.pl b/sample-scripts/auth-pam.pl
deleted file mode 100755
index 5333bad..0000000
--- a/sample-scripts/auth-pam.pl
+++ /dev/null
@@ -1,97 +0,0 @@
-#!/usr/bin/perl -t
-
-# OpenVPN PAM AUTHENTICATON
-# This script can be used to add PAM-based authentication
-# to OpenVPN 2.0. The OpenVPN client must provide
-# a username/password, using the --auth-user-pass directive.
-# The OpenVPN server should specify --auth-user-pass-verify
-# with this script as the argument and the 'via-file' method
-# specified. The server can also optionally specify
-# --client-cert-not-required and/or --username-as-common-name.
-
-# SCRIPT OPERATION
-# Return success or failure status based on whether or not a
-# given username/password authenticates using PAM.
-# Caller should write username/password as two lines in a file
-# which is passed to this script as a command line argument.
-
-# CAVEATS
-# * Requires Authen::PAM module, which may also
-# require the pam-devel package.
-# * May need to be run as root in order to
-# access username/password file.
-
-# NOTES
-# * This script is provided mostly as a demonstration of the
-# --auth-user-pass-verify script capability in OpenVPN.
-# For real world usage, see the auth-pam module in the plugin
-# folder.
-
-use Authen::PAM;
-use POSIX;
-
-# This "conversation function" will pass
-# $password to PAM when it asks for it.
-
-sub my_conv_func {
- my @res;
- while ( @_ ) {
- my $code = shift;
- my $msg = shift;
- my $ans = "";
-
- $ans = $password if $msg =~ /[Pp]assword/;
-
- push @res, (PAM_SUCCESS(),$ans);
- }
- push @res, PAM_SUCCESS();
- return @res;
-}
-
-# Identify service type to PAM
-$service = "login";
-
-# Get username/password from file
-
-if ($ARG = shift @ARGV) {
- if (!open (UPFILE, "<$ARG")) {
- print "Could not open username/password file: $ARG\n";
- exit 1;
- }
-} else {
- print "No username/password file specified on command line\n";
- exit 1;
-}
-
-$username = <UPFILE>;
-$password = <UPFILE>;
-
-if (!$username || !$password) {
- print "Username/password not found in file: $ARG\n";
- exit 1;
-}
-
-chomp $username;
-chomp $password;
-
-close (UPFILE);
-
-# Initialize PAM object
-
-if (!ref($pamh = new Authen::PAM($service, $username, \&my_conv_func))) {
- print "Authen::PAM init failed\n";
- exit 1;
-}
-
-# Authenticate with PAM
-
-$res = $pamh->pam_authenticate;
-
-# Return success or failure
-
-if ($res == PAM_SUCCESS()) {
- exit 0;
-} else {
- print "Auth '$username' failed, PAM said: ", $pamh->pam_strerror($res), "\n";
- exit 1;
-}
diff --git a/sample-scripts/bridge-start b/sample-scripts/bridge-start
deleted file mode 100755
index d20a260..0000000
--- a/sample-scripts/bridge-start
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/sh
-
-#################################
-# Set up Ethernet bridge on Linux
-# Requires: bridge-utils
-#################################
-
-# Define Bridge Interface
-br="br0"
-
-# Define list of TAP interfaces to be bridged,
-# for example tap="tap0 tap1 tap2".
-tap="tap0"
-
-# Define physical ethernet interface to be bridged
-# with TAP interface(s) above.
-eth="eth0"
-eth_ip="192.168.8.4"
-eth_netmask="255.255.255.0"
-eth_broadcast="192.168.8.255"
-
-for t in $tap; do
- openvpn --mktun --dev $t
-done
-
-brctl addbr $br
-brctl addif $br $eth
-
-for t in $tap; do
- brctl addif $br $t
-done
-
-for t in $tap; do
- ifconfig $t 0.0.0.0 promisc up
-done
-
-ifconfig $eth 0.0.0.0 promisc up
-
-ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
diff --git a/sample-scripts/bridge-stop b/sample-scripts/bridge-stop
deleted file mode 100755
index 8192779..0000000
--- a/sample-scripts/bridge-stop
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-####################################
-# Tear Down Ethernet bridge on Linux
-####################################
-
-# Define Bridge Interface
-br="br0"
-
-# Define list of TAP interfaces to be bridged together
-tap="tap0"
-
-ifconfig $br down
-brctl delbr $br
-
-for t in $tap; do
- openvpn --rmtun --dev $t
-done
diff --git a/sample-scripts/openvpn.init b/sample-scripts/openvpn.init
deleted file mode 100755
index 821abd5..0000000
--- a/sample-scripts/openvpn.init
+++ /dev/null
@@ -1,244 +0,0 @@
-#!/bin/sh
-#
-# openvpn This shell script takes care of starting and stopping
-# openvpn on RedHat or other chkconfig-based system.
-#
-# chkconfig: 345 24 76
-#
-# description: OpenVPN is a robust and highly flexible tunneling application \
-# that uses all of the encryption, authentication, and \
-# certification features of the OpenSSL library to securely \
-# tunnel IP networks over a single UDP port.
-#
-
-# Contributed to the OpenVPN project by
-# Douglas Keller <doug@voidstar.dyndns.org>
-# 2002.05.15
-
-# To install:
-# copy this file to /etc/rc.d/init.d/openvpn
-# shell> chkconfig --add openvpn
-# shell> mkdir /etc/openvpn
-# make .conf or .sh files in /etc/openvpn (see below)
-
-# To uninstall:
-# run: chkconfig --del openvpn
-
-# Author's Notes:
-#
-# I have created an /etc/init.d init script and enhanced openvpn.spec to
-# automatically register the init script. Once the RPM is installed you
-# can start and stop OpenVPN with "service openvpn start" and "service
-# openvpn stop".
-#
-# The init script does the following:
-#
-# - Starts an openvpn process for each .conf file it finds in
-# /etc/openvpn.
-#
-# - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes
-# it before starting openvpn (useful for doing openvpn --mktun...).
-#
-# - In addition to start/stop you can do:
-#
-# service openvpn reload - SIGHUP
-# service openvpn reopen - SIGUSR1
-# service openvpn status - SIGUSR2
-#
-# Modifications:
-#
-# 2003.05.02
-# * Changed == to = for sh compliance (Bishop Clark).
-# * If condrestart|reload|reopen|status, check that we were
-# actually started (James Yonan).
-# * Added lock, piddir, and work variables (James Yonan).
-# * If start is attempted twice, without an intervening stop, or
-# if start is attempted when previous start was not properly
-# shut down, then kill any previously started processes, before
-# commencing new start operation (James Yonan).
-# * Do a better job of flagging errors on start, and properly
-# returning success or failure status to caller (James Yonan).
-#
-# 2005.04.04
-# * Added openvpn-startup and openvpn-shutdown script calls
-# (James Yonan).
-#
-
-# Location of openvpn binary
-openvpn=""
-openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
-for location in $openvpn_locations
-do
- if [ -f "$location" ]
- then
- openvpn=$location
- fi
-done
-
-# Lockfile
-lock="/var/lock/subsys/openvpn"
-
-# PID directory
-piddir="/var/run/openvpn"
-
-# Our working directory
-work=/etc/openvpn
-
-# Source function library.
-. /etc/rc.d/init.d/functions
-
-# Source networking configuration.
-. /etc/sysconfig/network
-
-# Check that networking is up.
-if [ ${NETWORKING} = "no" ]
-then
- echo "Networking is down"
- exit 0
-fi
-
-# Check that binary exists
-if ! [ -f $openvpn ]
-then
- echo "openvpn binary not found"
- exit 0
-fi
-
-# See how we were called.
-case "$1" in
- start)
- echo -n $"Starting openvpn: "
-
- /sbin/modprobe tun >/dev/null 2>&1
-
- # From a security perspective, I think it makes
- # sense to remove this, and have users who need
- # it explictly enable in their --up scripts or
- # firewall setups.
-
- #echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # Run startup script, if defined
- if [ -f $work/openvpn-startup ]; then
- $work/openvpn-startup
- fi
-
- if [ ! -d $piddir ]; then
- mkdir $piddir
- fi
-
- if [ -f $lock ]; then
- # we were not shut down correctly
- for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
- if [ -s $pidf ]; then
- kill `cat $pidf` >/dev/null 2>&1
- fi
- rm -f $pidf
- done
- rm -f $lock
- sleep 2
- fi
-
- rm -f $piddir/*.pid
- cd $work
-
- # Start every .conf in $work and run .sh if exists
- errors=0
- successes=0
- for c in `/bin/ls *.conf 2>/dev/null`; do
- bn=${c%%.conf}
- if [ -f "$bn.sh" ]; then
- . $bn.sh
- fi
- rm -f $piddir/$bn.pid
- $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work
- if [ $? = 0 ]; then
- successes=1
- else
- errors=1
- fi
- done
-
- if [ $errors = 1 ]; then
- failure; echo
- else
- success; echo
- fi
-
- if [ $successes = 1 ]; then
- touch $lock
- fi
- ;;
- stop)
- echo -n $"Shutting down openvpn: "
- for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
- if [ -s $pidf ]; then
- kill `cat $pidf` >/dev/null 2>&1
- fi
- rm -f $pidf
- done
-
- # Run shutdown script, if defined
- if [ -f $work/openvpn-shutdown ]; then
- $work/openvpn-shutdown
- fi
-
- success; echo
- rm -f $lock
- ;;
- restart)
- $0 stop
- sleep 2
- $0 start
- ;;
- reload)
- if [ -f $lock ]; then
- for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
- if [ -s $pidf ]; then
- kill -HUP `cat $pidf` >/dev/null 2>&1
- fi
- done
- else
- echo "openvpn: service not started"
- exit 1
- fi
- ;;
- reopen)
- if [ -f $lock ]; then
- for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
- if [ -s $pidf ]; then
- kill -USR1 `cat $pidf` >/dev/null 2>&1
- fi
- done
- else
- echo "openvpn: service not started"
- exit 1
- fi
- ;;
- condrestart)
- if [ -f $lock ]; then
- $0 stop
- # avoid race
- sleep 2
- $0 start
- fi
- ;;
- status)
- if [ -f $lock ]; then
- for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
- if [ -s $pidf ]; then
- kill -USR2 `cat $pidf` >/dev/null 2>&1
- fi
- done
- echo "Status written to /var/log/messages"
- else
- echo "openvpn: service not started"
- exit 1
- fi
- ;;
- *)
- echo "Usage: openvpn {start|stop|restart|condrestart|reload|reopen|status}"
- exit 1
- ;;
-esac
-exit 0
diff --git a/sample-scripts/ucn.pl b/sample-scripts/ucn.pl
deleted file mode 100755
index 6d708f8..0000000
--- a/sample-scripts/ucn.pl
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/perl -t
-
-# OpenVPN --auth-user-pass-verify script.
-# Only authenticate if username equals common_name.
-# In OpenVPN config file:
-# auth-user-pass-verify ./ucn.pl via-env
-
-$username = $ENV{'username'};
-$common_name = $ENV{'common_name'};
-
-exit !(length($username) > 0 && length($common_name) > 0 && $username eq $common_name);
diff --git a/sample-scripts/verify-cn b/sample-scripts/verify-cn
deleted file mode 100755
index f9fea0f..0000000
--- a/sample-scripts/verify-cn
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/bin/perl
-
-# verify-cn -- a sample OpenVPN tls-verify script
-#
-# Return 0 if cn matches the common name component of
-# X509_NAME_oneline, 1 otherwise.
-#
-# For example in OpenVPN, you could use the directive:
-#
-# tls-verify "./verify-cn /etc/openvpn/allowed_clients"
-#
-# This would cause the connection to be dropped unless
-# the client common name is listed on a line in the
-# allowed_clients file.
-
-die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3);
-
-# Parse out arguments:
-# cnfile -- The file containing the list of common names, one per
-# line, which the client is required to have,
-# taken from the argument to the tls-verify directive
-# in the OpenVPN config file.
-# The file can have blank lines and comment lines that begin
-# with the # character.
-# depth -- The current certificate chain depth. In a typical
-# bi-level chain, the root certificate will be at level
-# 1 and the client certificate will be at level 0.
-# This script will be called separately for each level.
-# x509 -- the X509 subject string as extracted by OpenVPN from
-# the client's provided certificate.
-($cnfile, $depth, $x509) = @ARGV;
-
-if ($depth == 0) {
- # If depth is zero, we know that this is the final
- # certificate in the chain (i.e. the client certificate),
- # and the one we are interested in examining.
- # If so, parse out the common name substring in
- # the X509 subject string.
-
- if ($x509 =~ /\/CN=([^\/]+)/) {
- $cn = $1;
- # Accept the connection if the X509 common name
- # string matches the passed cn argument.
- open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
- while (defined($line = <FH>)) {
- if ($line !~ /^[[:space:]]*(#|$)/o) {
- chop($line);
- if ($line eq $cn) {
- exit 0;
- }
- }
- }
- close(FH);
- }
-
- # Authentication failed -- Either we could not parse
- # the X509 subject string, or the common name in the
- # subject string didn't match the passed cn argument.
- exit 1;
-}
-
-# If depth is nonzero, tell OpenVPN to continue processing
-# the certificate chain.
-exit 0;