o8oygil Posted December 5, 2020 Share Posted December 5, 2020 (edited) We've decided to implement a VPN concentrator for clients to access their iLO/IPMI/BMC without those management controllers being on a public IP themselves. We have no desire to manage another set of usernames and passwords. so we're going to use WHMCS as the authenticatio backend. We will have a table that grants access to a given VPN subnet or ipmi controller via their WHMCS client ID. When the user logs in to our panel, I want it to hash the client pw the same way whmcs does and compare it to tblusers.password. I see in there there's at least a couple formats it could be in. Quote 32 hex:5alphanumpunct 'd9c2d6ea6a77bfdf12c45b6942cbf92b:(CVvC' I'm assuming the hex is a hash (md5?) and the 5 alphanum is a salt? Quote $2y$10$ then 53 characters of base64 encoded $2y$10$2OAbC30yegroPogCKCLwroSIiQUilh7xIUPXzMsg5cthMRTA82Jye' This looks like a unix password hash to me but I'd be surprised if the salt was always the same string ,"10" Is one of these formats obsoleted and one the preferred format. What is the process used to validate a provided pw is correct? I imagine there could be an API as well that can handle this, but our WHMCS is offsite from the pdus/ipmi controllers, and I'd really rather binlog the mysql DB into the datacenter, and perform validation in the pdu/vpn interface, so they are not dependant on connectivity between the two during the moment of authentication. (Yes, I scrambled the hashes I posted.) Edited December 5, 2020 by o8oygil avoiding snarky comments 0 Quote Link to comment Share on other sites More sharing options...
o8oygil Posted December 7, 2020 Author Share Posted December 7, 2020 Upon further analysis it appears that we haven't had anyone log in in 5+ years who has one of those 32 hex:5alphanumpunct style pw hashes. so I'll consider those unnecessary to support. And I found that the htpassword utility is able to validate passwords like so. Put then in a text file (testhtpasswdfile for example) with a username at the beginning and a colon and then the hash as found in the tblusers table username:$2y$10$2OAbC30yegroPogCKCLwroSIiQUilh7xIUPXzMsg5cthMRTA82Jye' Then run: $htpasswd -v testhtpasswdfile username Enter password: Password for user username correct. $ So it's htpasswd format and apache would probably understand it for use with basic-auth over https. Neat! I should be able to tie that into openvpn now with auth-user-pass-verify. And to generate the htpasswd file, here's a bash script for anyone curious: $ cat bin/generatehtpasswdfromwhmcs #!/bin/bashmysql --skip-column-names -u scripts --password='elitehaxorstr0ngpw!!!1one' 'dbwhmcs' <<< \ 'SELECT CONCAT(email, ":" , password) FROM `dbwhmcs`.tblusers WHERE password LIKE '"'"'$2y$10$%'"';" > \ /var/www/whmcs.htpasswd $ This works nicely to authenticate clients who want to use a remote controllable PDU. I'll look up their active hostings and store their pdu ip address and port numbers in a note in there. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.