Automatic Password Rotation for Guest Network?

Discussion in 'Tomato Firmware' started by davygravy, Jun 5, 2019.

  1. davygravy

    davygravy Network Newbie Member

    I'm wondering if someone here has already tried and failed/succeeded with some sort of script to automatically rotate passwords for wifi access on Tomato.

    The passwords could either be from a list, or perhaps formulaically generated.

    Anyone?
     
  2. eibgrad

    eibgrad Network Guru Member

    Before diving into the plumbing, what is the problem you're trying to solve? For all we know, this is the wrong solution. And that's what you've presented. A solution.
     
  3. davygravy

    davygravy Network Newbie Member

    Thanks.
     
  4. ruggerof

    ruggerof Network Guru Member

    Yes, I once did for my Guest SSID (if it was used). The script randomly selected from a list stored in the RAM, randomly selected a few numbers, joined the password from the list and the numbers, and then changed the password via NVRAM. After all that the script sends me the new password via Telegram message.
     
  5. davygravy

    davygravy Network Newbie Member

    Thank you @ruggerof , that is very helpful. This is pretty much what I was thinking of. Any chance you could share that, either by posting, or by PM?
     
  6. ruggerof

    ruggerof Network Guru Member

    Here it goes. Obviously I have changed the Telegram API codes. You have to find and insert the ones for your BOT and you as client.

    The main script
    Code:
    #!/bin/sh
    
    if [ ! -f /opt/NV_Tags/Change_Guest_Pass_Next_Time.txt ]; then     # No need to change password, exit the Script
        logger -t "GUEST PASSWORD Script" "****** Password for the Guest Network was not used, thus it won't be changed ******"
        exit 0
    else
        rm /opt/NV_Tags/Change_Guest_Pass_Next_Time.txt                # Remove the control file and continue.
    fi
    
    
    
    # Gets a random alpha-numeric passord from a website API
    # PWD_Guest=`curl -s -k "http://www.sethcardoza.com/api/rest/tools/random_password_generator/complexity:alphaNumeric"`
    
    # Generates a Default Random Password in case of failure
    N1=$(grep -m1 -ao '[A-Za-z0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
    N2=$(grep -m1 -ao '[A-Za-z0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
    N3=$(grep -m1 -ao '[A-Za-z0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
    N4=$(grep -m1 -ao '[A-Za-z0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
    N5=$(grep -m1 -ao '[A-Za-z0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
    N6=$(grep -m1 -ao '[A-Za-z0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
    N7=$(grep -m1 -ao '[A-Za-z0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
    N8=$(grep -m1 -ao '[A-Za-z0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
    N9=$(grep -m1 -ao '[A-Za-z0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
    
    Default_Password=$N1$N2$N3$N4$N5$N6$N7$N8$N9
    
    
    # Grabs a Random word from dictionary words.txt
    getrandomphrase () {
        if [ -f /tmp/words.txt ]; then
            phrasecount=`wc -l /tmp/words.txt | cut -d " " -f 1`
            if [ $phrasecount == 0 ]; then
                # file is empty
                phrasepasswd=$Default_Password
            else
                randomnumber=`tr -cd 0-9 </dev/urandom | head -c 7 | sed 's/^0*//'`
                if [ $randomnumber == "" ]; then
                    # cannot get a random number, bailing
                    phrasepasswd=$Default_Password
                else
                    phrasetext=`sed -n $(( $randomnumber % $phrasecount + 1 ))p /tmp/words.txt`
                    if [ $phrasetext == "" ]; then
                        # blank lines in file, bailing
                        phrasepasswd=$Default_Password
                    else
                        if [ ${#phrasetext} -lt 3 ]; then
                            # phrase is too short to make a valid password
                            phrasepasswd=$Default_Password
                        else
                            # we have a phrase now get 3 numbers and 1 number or Uppercase Letter
                            D1=$(grep -m1 -ao '[0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
                            D2=$(grep -m1 -ao '[0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
                            # D3=$(grep -m1 -ao '[A-Z0-9]' /dev/urandom | sed -e 's/O/0/g' -e 's/0/0/g' | head -n1)
                            D3=$(grep -m1 -ao '[0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
                            D4=$(grep -m1 -ao '[0-9]' /dev/urandom | sed -e 's/0/0/g' -e 's/0/0/g' | head -n1)
                            randomnumber=$D1$D2$D3$D4
                            if [ $randomnumber == "" ]; then
                                # cannot get a random number, bailing
                                phrasepasswd=$Default_Password
                            else
                                phrasepasswd=$phrasetext$randomnumber
                            fi
                        fi
                    fi
                fi
            fi
        else
            # file does not exist
            phrasepasswd=$Default_Password
        fi
    }
    
    
    # Call function to get a word from dictionary
    getrandomphrase
    
    # Call function to get a word from dictionary
    PWD_Guest=$phrasepasswd
    
    # Gets the SSID from the NVRAM
    SSID_Guest=`nvram get wl0.1_ssid`
    SSID=$(echo $SSID_Guest | sed -e 's/_/\\_/g')
    
    SSID_Guest2=`nvram get wl1.1_ssid`
    SSID2=$(echo $SSID_Guest2 | sed -e 's/_/\\_/g')
    
    
    # Writes the random password to the NVRAM
    nvram set wl0.1_wpa_psk=$PWD_Guest
    nvram set wl1.1_wpa_psk=$PWD_Guest
    # nvram set wl1.1_ssid=$SSID_Guest
    nvram commit
    
    # Composes message for the Telegram API Bot
    message_header="https://api.telegram.org/bot210366640:AAFaG6BrH5dksmauwemaFUCFkItbW8m0_Q8/sendMessage?chat_id="
    message_footer="&parse_mode=Markdown&text=New%20password%20for%20"$SSID"%20and%20"$SSID2"%0a%0a\`"
    
    # Composes message admin and home
    message_to_admin=$message_header"123456789"$message_footer$PWD_Guest"\`"
    message_to_home=$message_header"987654321"$message_footer$PWD_Guest"\`"
    
    # Sends messages to Telegram
    curl -k -i -X POST $message_to_admin
    curl -k -i -X POST $message_to_home
    
    # Restart wireless to take effect
    sleep 3
    service wireless restart
    
    # Set radios to kick out clients with low speed.
    # /tmp/./Faster_Roaming_Settings.sh
    
    # Restore LEDs status (necessary as USB led turns off)
    /tmp/./stealthMode on
    sleep 3
    /tmp/./stealthMode off
    
    # Write password to log files
    logger -t "GUEST PASSWORD Script" "****** New password for the Guest Network is $PWD_Guest ******"
    
    sleep 5
    # Force new data to be written and then synched.
    /tmp/./Sync_Wifi_Details.sh
    
    The dictionary words.txt is attached as a file due to its size.

    Good luck with it.
     

    Attached Files:

    Last edited: Jun 7, 2019
  7. davygravy

    davygravy Network Newbie Member

    @ruggerof you have obviously put in some careful thought to this... thank you for sharing it. I will give it a try in a few weeks when I have some down time from other stuff. Very cool!
     
  8. ruggerof

    ruggerof Network Guru Member

    Not really, it was a quick and dirty script that BTW is full of useless stuff that you have to clean up. I haven't used my Tomato scripts for more than a year so I don't even remember some details of what was coded and the reason i coded like that.

    As my guest SSIDs are now managed by a voucher system in pfSense, my tomato routers are used now only as AP/Switches.

    Anyway I hope it can provide you with ideas for what you need.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice