SUMMARY: PPP dial-in with SecurID

[jabr at blu.org (John Abreau)]

(I've summarized the replies below my signature)

My thanks to all who responded. I needed a simple one-click dialer for a
laptop I was setting up for an engineer here at Synopsys. I ended up
giving him Christoph's xplink, once he pointed out that if I leave the
password blank in the ISP config, it pops up a dialog box to prompt for
it.

--
John Abreau / Executive Director, Boston Linux & Unix 
Email: jabr at blu.org / URL: http://www.blu.org
ICQ#28611923 / AIM abreauj
-----------------------------------------------------------------------
"Working with NT is like trying to tune a watch wearing oven mitts.
 You can't get your fingers inside like you can with UNIX.
-----------------------------------------------------------------------
--------

Date: Fri, 17 Sep 1999 19:30:55 -0400
From: Kenneth E. Lussier <kenlussier at mediaone.net>
Reply-To: gnhlug at zk3.dec.com
To: gnhlug at zk3.dec.com
Subject: Re: PPP dial-in with SecurID

John,
        In the past, I've used the PPP dialer that comes with KDE. It's
configuration is very "Winows-esque". You can have an after-dial
terminal window open up to prompt for the token authentication.
Kenny

--------

Date: Sat, 18 Sep 1999 08:32:25 -0400
From: Dan Leary <dll at interlocutor.com>
Reply-To: gnhlug at zk3.dec.com
To: gnhlug at zk3.dec.com
Subject: Re: PPP dial-in with SecurID

John Abreau wrote:
> 
> I'm looking for a ppp dialer gui that works with a SecurID login for one
> of the guys at work. Basically anything that will let me prompt the user
> for the password in the middle of connecting should be fine.

Well, it's not GUI, but it's interactive.  I had to solve this same
problem
last year and the only thing I could find was an expect script,
apparently
originally from an O'Reilly book.  A modified version is attached.  It
should
be edited to suit (the dialup numbers, modem strings, pppd commandline).

-dll
    [ Part 2: "Attached Text" ]

#!/usr/bin/expect -f
#
# This  script was  written  by  Jim Isaacson  <jcisaac at crl.com>.  It is
# designed to work  as a script to use the  SecureCARD(tm) device.  This
# little device is mated with a central controller. The number displayed
# on this card changes every so often and  you need to enter  the number
# along with your user account name in order to gain access.  Since chat
# is based upon fixed strings this procedure will not work with chat.
#
# It is included by permission. An excellent reference for the expect
# program used by this script is in the book:
#
# "Exploring Expect"
# by Don Libes
# Published by O'Rielly and Associates
#
# (The original script has since been substantially modified).
#
# These are the parameters for the program.
#
set modem      /dev/modem
set countermax 10
#set speed      19200
set speed      38400
#set speed      57600
#set speed      115200

set dialup1    555-1212
set dialup2    1-800-555-5555

send_user "Known dialups:\n"
send_user "  dialup1:\t$dialup1\tDescription of dialup1\n"
send_user "  dialup2:\t$dialup2\tDescription of dialup2\n"
send_user "Enter a known dialup name, or a new number to dial: "

set timeout   -1
expect_user {
        dialup1\n {
                set dialup $dialup1
        }
        dialup2\n {
                set dialup $dialup2
        }
        -re "(.*)\n" {
                set dialup $expect_out(buffer)
        }
}

set timeout   60
send_user "Using dialup: $dialup\n"
send_user "Starting dialup/ppp negotiations...\n"

#system "setserial -av $modem autoconfig"
system "stty $speed -echoe -echo raw < $modem > $modem"
spawn -noecho -open [open $modem "r+"]

send "AT\r" 
expect "OK"
send "ATS10=255&F&C1&D2&K3W1\r" 
expect "OK"
send "ATM1L3S7=60S11=55S0=0\r"
expect "OK"
send "ATDT $dialup\r"

set timeout 30
set counter 0
set still_connecting 1

expect {
        -re ".*CONNECT.*(\r|\n)" {
                set timeout 2
                set still_connecting 0
                sleep 1
                send "\r"
                exp_continue
        }
        -re "BUSY" {
                send_user "Busy, try again later...\n"
                exit
        }
        -re "VOICE" {
                send_user "Voice, exiting...\n"
                exit
        }
        -re ".*NO.*CARRIER" {
                send_user "No carrier, exiting...\n"
                exit
        }
        -re ".*NO.*DIAL.*TONE" {
                send_user "No dialtone, exiting...\n"
                exit
        }

        -re ".*@ Userid:" {
                set timeout -1
                expect_user -re "(.*)\n"
                send "$expect_out(1,string)\r"
                set timeout 5
                exp_continue
        }
        -re ".*Password?" {
                set timeout -1
                expect_user -re "(.*)\n"
                send "$expect_out(1,string)\r"
                set timeout 30
                exp_continue
        }
        -re ".*>" {
                send "ppp\r"
        }

        -re ".*User ID:" {
                set timeout -1
                expect_user -re "(.*)\n"
                send "$expect_out(1,string)\r"
                set timeout 5
                exp_continue
        }
        -re ".*PASSCODE:" {
                set timeout -1
                expect_user -re "(.*)\n"
                send "$expect_out(1,string)\r"
                set timeout 30
                exp_continue
        }
        -re ".*PASSCODE Accepted.*" {
                send_user "Hooray...\n"
        }

        # These last two cases are supposed to catch expired passcode PINs.
        -re ".*Next.*:" {
                set timeout -1
                expect_user -re "(.*)\n"
                send "$expect_out(1,string)\r"
                set timeout 30
                exp_continue
        }
        -re "Your.*" {
                send "\r"
                exp_continue
        }

        timeout {
                if { $still_connecting > 0 } {
                        send_user "Still trying to connect...\n"
                        exp_continue 
                }
                incr counter
                send_user "Timeout number $counter of $countermax.\n"
                send "\r"
                if { $counter > $countermax } {
                        send_user "Giving up.\n"
                        exit
                } else {
                        send_user "... "
                        exp_continue
                }
        }
}

send_user "Running pppd...\n"
sleep 5
overlay -0 /dev/null -1 $spawn_id -2 $spawn_id /usr/sbin/pppd $modem $speed \
        asyncmap 0 -detach crtscts modem defaultroute \
        +ua /etc/ppp/pap-securid user SECURIDUSER

--------

Date: Sat, 18 Sep 1999 15:15:51 -0400
From: Bill Horne <linux16 at banet.net>
Reply-To: bill at horne.net
To: jabr at blu.org
Subject: [Fwd: [Fwd: PPP dial-in with SecurID]]

John,

Try these scripts: the user puts in a securid number, and
the script takes it
from there.  I usually wait until the number rolls over, so
I have a minute
to go before it's invalid.  

    [ Part 2: "Attached Text" ]

#!/bin/bash
cp /etc/resolv.conf-8235 /etc/resolv.conf
cp /etc/ppp/options-8235 /etc/ppp/options
/usr/sbin/pppd /dev/ttyS0 connect "/usr/sbin/chat -v -T ${1:?'A SecurID code
MUST be provided'} -f/usr/sbin/chatscript-8235"

    [ Part 3: "Attached Text" ]

              ABORT "NO CARRIER"
              ABORT "NO DIAL TONE"
              ABORT "ERROR"
              ABORT "NO ANSWER"
              ABORT "BUSY"
              ""    ATE1V1
              OK-\d\d+++\d\d\c-OK   ATH0
              OK     ATDT*70,<your TN here>
              CONNECT '\d\d\r'
              ID:    <your user id here>
              CODE:  <your PIN here>\T

--------

Date: Mon, 20 Sep 1999 15:52:18 +0200 (CEST)
From: Gyurcsan Ferenc Tamas <gyurex at brian.vpszk.bme.hu>
Reply-To: gnhlug at zk3.dec.com
To: gnhlug at zk3.dec.com
Subject: Re: PPP dial-in with SecurID

Hi,
>       In the past, I've used the PPP dialer that comes with KDE. It's
> configuration is very "Winows-esque". You can have an after-dial
> terminal window open up to prompt for the token authentication.

Yes, that's a pretty nice program. The only problem with it is that you
need to install kde because kppp is in the networking package of kde, and
it also needs kdelibrary and kdebase. So if you have kde, then that's
your choice. If you have any question about configuring it, just e-mail
to me. It's not very simple.
Regards,
Ferenc

--------

Date: Mon, 20 Sep 1999 15:06:36 -0400
From: Christoph Doerbeck A242369 <cdoerbec at cso.fmr.com>
To: John Abreau <jabr at Blu.Org>
Cc: discuss at Blu.Org
Subject: Re: PPP dial-in with SecurID 


xplink!!!!

The way it works... it grabs your securID before dialing and
passes it to pppd via ENV.  I used it forever without issues.

The only problem may be if you start dialing as your ID is about
to expire...

Let me know if you choose to use it, and I'll answer any questions...

--------

Date: Tue, 21 Sep 1999 16:37:57 -0400
From: Robert Sarao <sarao at tiac.net>
To: John Abreau <jabr at blu.org>
Subject: Re: PPP dial-in with SecurID

John,

        In case you didn't have an answer yet... and at last finally able to
"give" an answer TO YOU... What I do is open a terminal window after
dialing... Does the trick nicely ...

                                                Robert


-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).