| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | v 0.1 gpk@onramp.net 3/27/99 |
| 2 | |
| 3 | I Intro |
| 4 | |
| 5 | This document covers the use of the modified "chat" program and its |
| 6 | adjunct "chatchat" to login using the Security Dynamics SecurID card |
| 7 | on a linux system. |
| 8 | |
| 9 | This set of files comprises a modified version of the chat program |
| 10 | (the one distributed with ppp-2.3.5) and a new program called chatchat |
| 11 | that allows you to supply data from the keyboard to the chat program. |
| 12 | |
| 13 | The SecurID card generates passwords that have a lifetime of one |
| 14 | minute and are used as a first layer in dial up security. The only |
| 15 | software I know of for this card is for windows, so I wrote my own. |
| 16 | This software allows you to type in the time-sensitive password right |
| 17 | when your chat script is asked to supply the passcode by the remote |
| 18 | system. |
| 19 | |
| 20 | |
| 21 | II How It Works |
| 22 | |
| 23 | This version of chat his an additional command that can be put into |
| 24 | its options that says "Don't reply with this string. Open this pipe, |
| 25 | read the contents, and reply with that instead." Chatchat creates a |
| 26 | pipe and lets you type your passcode into it, then chat picks that up |
| 27 | and sends it out just as though the passcode was hardcoded into the |
| 28 | options. |
| 29 | |
| 30 | |
| 31 | III Installation |
| 32 | |
| 33 | I've provided intel binaries and source code the the modified chat |
| 34 | program and the chatchat program. I'll recommend that you copy the |
| 35 | chat.c program into your ppp-2.3.5/chat directory (save your original |
| 36 | chat.c program first!) and re-make it using the Makefile that comes |
| 37 | with chat. Copy the new chat somewhere into your path. (On my system |
| 38 | chat lives in /usr/sbin/chat, so I've copied the modified one into |
| 39 | /usr/sbin/chat.new and changed my dial in script to call chat.new |
| 40 | instead of chat. |
| 41 | |
| 42 | Second, compile chatchat.c and install it somewhere in your path: |
| 43 | |
| 44 | gcc -g -o chatchat chatchat.c |
| 45 | cp chatchat /usr/sbin |
| 46 | |
| 47 | Third, modify your chat script to use the chatchat program. Mine |
| 48 | looks something like this: |
| 49 | |
| 50 | |
| 51 | -------------------- |
| 52 | |
| 53 | #!/bin/sh |
| 54 | # |
| 55 | # This is part 2 of the ppp-on script. It will perform the connection |
| 56 | # protocol for the desired connection. |
| 57 | # use atm0 to turn down the speaker volume on my sportster x2 voice modem |
| 58 | # gpk 11/2/97 |
| 59 | |
| 60 | exec /usr/sbin/chat.new -V -v \ |
| 61 | ABORT "BUSY" \ |
| 62 | ABORT "NO DIAL TONE" \ |
| 63 | ABORT "NO ANSWER" \ |
| 64 | TIMEOUT 50 \ |
| 65 | "" "atm0" \ |
| 66 | OK ATDT$TELEPHONE \ |
| 67 | CONNECT '' \ |
| 68 | name: \\da0xxxxxx \ |
| 69 | word: @/var/tmp/p \ |
| 70 | compress. '' |
| 71 | |
| 72 | |
| 73 | ----------------------- |
| 74 | |
| 75 | This is a standard chat script: |
| 76 | |
| 77 | * abort if the modem is busy, you don't get a dial tone, no one |
| 78 | answers, or 50 seconds elapses. |
| 79 | |
| 80 | * use atm0 to mute the modem |
| 81 | |
| 82 | * dial the modem, when it connects, wait to be asked for account name |
| 83 | |
| 84 | * when we see "name:" prompt, delay briefly then respond with your |
| 85 | account name (fill in your account name) |
| 86 | |
| 87 | Now we get to the new stuff: |
| 88 | |
| 89 | * when we see "word:" in the password prompt, instead of responding |
| 90 | with "@/var/tmp/p", the modified chat program will open the pipe |
| 91 | /var/tmp/p, read the passcode out of there, and send it |
| 92 | |
| 93 | * when we see "compress." (the last word before ppp starts), reply |
| 94 | with nothing. The script ends and we start ppp. |
| 95 | |
| 96 | Note: |
| 97 | |
| 98 | * Make sure there is some whitespace between the filename and the \. |
| 99 | |
| 100 | |
| 101 | IV Usage |
| 102 | |
| 103 | To use this install the modified chat and chatchat programs, and |
| 104 | modify your chat script similar to the above. Before you dial in, |
| 105 | start that chatchat program giving it the same pipe as in your config |
| 106 | file. In the above case: |
| 107 | |
| 108 | chatchat /var/tmp/p |
| 109 | |
| 110 | Wait until you have one or two tick marks left on your card's |
| 111 | current number, then start your dial up process that eventually calls |
| 112 | chat. When chat goes to open and read the pipe, chatchat will prompt: |
| 113 | |
| 114 | |
| 115 | type PIN into SecurID card and |
| 116 | enter resulting passcode: |
| 117 | |
| 118 | At that point, type your PIN number into your Securid card, press |
| 119 | the diamond, and type the resulting numbers in as your passcode. If |
| 120 | you've left the -V -v options on your chat command you'll see |
| 121 | everything so out, otherwise it works silently. |
| 122 | |
| 123 | If you type the number wrong or run out of time, the server will |
| 124 | respond with an authentication failure. In that case you will have to |
| 125 | hang up and start again. I don't know how to build a conditional script |
| 126 | that says either expect "compress" next, but if you see "name:" again, |
| 127 | do this instead. |
| 128 | |
| 129 | |
| 130 | V Additional Information |
| 131 | |
| 132 | You can obtain additional information about chat and ppp from the |
| 133 | man pages for chat and pppd, as well as the PPP-HOWTO. |
| 134 | |