Password protect Specific Usb device

Hi to all.
I am tryng to use ClientAuthorization for protect specific dongle (with defined vendor id)
I am using Virtualhere licensed server on raspberry pi2

I set ClientAuthorization=1 in config.ini

My problem is I am tryng to use example 2 script descrived here:
https://www.virtualhere.com/authorization

But in auth script i not see password request box for define pass and ask it to averyone user connected on the server.

Someone can help me?

Thanks a lot

#2

Example 2 returns 1 if the user is allowed to use the device and 0 if they are not allowed.

You need to return 2 so that the client knows to ask for a password. The client will then send the password back to the server in the $PASSWORD$ field

Note in the first example the lines

# Return 2 if the user needs to provide a password (or the password is incorrect) to use the device
# Return 1 if the user is allowed to access this device
# Return 0 if the user is not allowed to access this device

You need to return specifically 2 to ask for the password

#3

<p>I tried with example 1
</p>
<p>This is My config.ini:<br />
It=<br />
License=<br />
ServerName=SiDa Electronics<br />
DeviceNicknames=Dtc,0471,485d,112,A,0471,485d,114<br />
PingInterval=2<br />
ClientAuthorization=/root/auth.sh "$0471$" "$485d$" "$PASSWORD$"
</p>
<p>This is my Auth.sh<br />
#!/bin/bash<br />
# Example script for performing basic user authorization for virtualhere<br />
# Also includes a simple password protection mechanism for accessing a device<br />
# Return 2 if the user needs to provide a password (or the password is incorrec$<br />
# Return 1 if the user is allowed to access this device<br />
# Return 0 if the user is not allowed to access this device<br />
# Parameters are passed in as:<br />
# $1 = PASSWORD
</p>
<p>logger "Authorizing -> '$1'"<br />
# "mypassword" = "34819d7beeabb9260a5c854bc85b3e44" as an MD5 hash<br />
if [ "$6" == "34819d7beeabb9260a5c854bc85b3e44" ]; then<br />
echo "Password ok"<br />
logger "Authorized!"<br />
exit 1<br />
else<br />
exit 2
</p>
<p>fi
</p>
<p>There is something wrong?<br />
When I try to connect to 1 of my 2 devices connected there is a pop up asking password but if I insert nothing response, it ask me another time<br />
The strange things is I specified product_id and client_id but sw ask me password for both devices connected
</p>
<p>Can you help me?</p>

#5

Sorry was out of the office for a week hence the delays:

Firstly make sure you script is at /root/auth.sh and is executable (chmod +x)
Secondly the line ClientAuthorization=/root/auth.sh "$0471$" "$485d$" "$PASSWORD$" does not make sense. You need to pass in exactly this

ClientAuthorization=/root/auth.sh "$VENDOR_ID$" "$PRODUCT_ID$" "$PASSWORD$"

Thirdly your script doesnt make sense, you are asking if $6 is the password, but the password is the third parameter e.g $3 as shown in the line above. So test $3 instead of $6. At least look in syslog to see what its logging . The entry "Authorizing $1" is written to syslog so switch that to $3

#6

Hi

In config.ini I wrote
clientAuthorization=/home/pi/virtualusb/auth.sh "$VENDOR_ID$" "$PRODUCT_ID$" "$CLIENT_ID$" "$CLIENT_IP$" "$DEVPATH$"
And when I connect to usb over windows client - always required password and log error "Error binding device 1143 [xxxx:xxxx] to connection 1, BIND_PASSWORD_REQUIRED".
Auth script is not contain "Error 2" in return...

What happend? I`m trying in ARM and ARMPI3 versions with same trouble

=(

#7

Paste your /home/pi/virtualusb/auth.sh script here

#8

<p>#!/bin/sh<br />
# Example script for performing advanced user authorization for VirtualHere<br />
# Sponsored by ben [at] wildblue.de (ben[at]wildblue[dot]de)<br />
#<br />
# Return 1 if the user is allowed to access this device<br />
# Return 0 if the user is not allowed to access this device<br />
#<br />
# Parameters are passed in as:<br />
# $1 = VENDOR_ID<br />
# $2 = PRODUCT_ID<br />
# $3 = CLIENT_ID<br />
# $4 = CLIENT_IP<br />
# $5 = PRODUCT_SERIAL<br />
#<br />
#<br />
# ----------------------------------------------------------------------<br />
# clientAuthorization=/home/pi/virtualusb/auth.sh "$VENDOR_ID$" "$DEVPATH$" "$CLIENT_ID$" "$CLIENT_IP$" "$PRODUCT_ID$"<br />
logger "Authorizing -> '$1' '$2' '$3' '$4' '$5'";
</p>
<p># Enable Logging of all Requests<br />
ENABLE_LOGGING=true;<br />
LOGFILE=/var/log/VirtualHere_Auth.log;<br />
# Configured Devices<br />
# DEVICE_CONFIG_X=( UniqueID "Device_NickName" "VendorID" "ProductID");<br />
DEVICE_CONFIG_0=( 0 "NotConfiguredDevices" );<br />
# buh dongle<br />
DEVICE_CONFIG_1=( 1 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.1.2" );<br />
DEVICE_CONFIG_2=( 2 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.1.3" );<br />
DEVICE_CONFIG_3=( 3 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.1.4" );<br />
DEVICE_CONFIG_4=( 4 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.1.5" );<br />
DEVICE_CONFIG_5=( 5 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.2.1.6" );<br />
DEVICE_CONFIG_6=( 6 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.1.7" );<br />
DEVICE_CONFIG_7=( 7 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.3.1.1" );<br />
DEVICE_CONFIG_8=( 8 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.3.1.3" );<br />
DEVICE_CONFIG_9=( 9 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.3.1.4" );<br />
DEVICE_CONFIG_10=( 10 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.3.1.5" );<br />
DEVICE_CONFIG_11=( 11 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.3.1.6" );<br />
DEVICE_CONFIG_12=( 12 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.3.1.7" );<br />
DEVICE_CONFIG_13=( 13 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.2" );<br />
DEVICE_CONFIG_14=( 14 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.3" );<br />
DEVICE_CONFIG_15=( 15 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.2.4" );<br />
DEVICE_CONFIG_16=( 16 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.3.2" );<br />
DEVICE_CONFIG_17=( 17 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.3.3" );<br />
DEVICE_CONFIG_18=( 18 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.3.4" );<br />
DEVICE_CONFIG_19=( 19 "UsbDongle" "24dc" "/sys/bus/usb/devices/1-1.2.1.1" );<br />
# bank dongle<br />
DEVICE_CONFIG_20=( 20 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.4.1.1" ); #BK4<br />
DEVICE_CONFIG_21=( 21 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.4.1.3" ); #BK5<br />
DEVICE_CONFIG_22=( 22 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.4.3" ); #BK2<br />
DEVICE_CONFIG_23=( 23 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.4.4" ); #BK3<br />
DEVICE_CONFIG_24=( 24 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.4.2" ); #BK1
</p>
<p># Configured Users<br />
# USER_CONFIG_X=( UniqueID "username" USB-IDs );<br />
USER_CONFIG_0=( 0 "Everyone" );<br />
USER_CONFIG_1=( 1 "user1" ALL );<br />
USER_CONFIG_2=( 2 "ES-3" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 );<br />
USER_CONFIG_3=( 3 "order" 19 20 21 22 23 );<br />
USER_CONFIG_4=( 4 "order" 19 20 21 22 23 );<br />
# USER_CONFIG_4=( 4 "" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 );
</p>
<p># Configured IP-Addresses<br />
# IP_CONFIG_X=( UniqueID "IP-address" UserIDs );<br />
IP_CONFIG_0=( 0 "NotConfiguredAddresses" );<br />
IP_CONFIG_1=( 1 "192.168.84.23" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 );<br />
IP_CONFIG_2=( 2 "192.168.211.121" ALL );<br />
IP_CONFIG_3=( 3 "192.168.1.36" 19 20 21 22 23 );<br />
IP_CONFIG_4=( 4 "192.168.1.37" 19 20 21 22 23 );
</p>
<p># ----------------------------------------------------------------------<br />
# Map Parameters to readable VariableNames<br />
VENDOR_ID=$1;<br />
PRODUCT_ID=$2;<br />
CLIENT_ID=$3;<br />
CLIENT_IP=$4;<br />
PRODUCT_SERIAL=$5;
</p>
<p># Pre-Authorization-Check (requested User and current Device must be configured)<br />
CURRENT_DEVICE=();<br />
for ARRAY_NAME in ${!DEVICE_CONFIG_@}; do<br />
# Get Data from DeviceConfig-Array<br />
DEVICE_CONFIG=($(eval "echo \${$ARRAY_NAME[@]}"));
</p>
<p> # Check DeviceConfig-Arguments<br />
COUNT_ARGS=${#DEVICE_CONFIG[@]};<br />
if [[ $COUNT_ARGS -eq 4 ]]; then<br />
# This Device has a complete DataSet<br />
# Is this the CurrentRequested Device<br />
DEVICE_UID=${DEVICE_CONFIG[0]};<br />
DEVICE_NICKNAME=${DEVICE_CONFIG[1]};<br />
DEVICE_VENDOR_ID=${DEVICE_CONFIG[2]};<br />
DEVICE_PRODUCT_ID=${DEVICE_CONFIG[3]};
</p>
<p> if [ "$VENDOR_ID" == "$DEVICE_VENDOR_ID" ] &amp;&<br />
[ "$PRODUCT_ID" == "$DEVICE_PRODUCT_ID" ]; then<br />
CURRENT_DEVICE=(${DEVICE_CONFIG[@]});<br />
fi<br />
fi<br />
done;<br />
if [[ "${#CURRENT_DEVICE[*]}" -eq 0 ]]; then CURRENT_DEVICE=(${DEVICE_CONFIG_0[@]}); fi
</p>
<p> CURRENT_USER=();<br />
for ARRAY_NAME in ${!USER_CONFIG_@}; do<br />
# Get Data from UserConfig-Array<br />
USER_CONFIG=($(eval "echo \${$ARRAY_NAME[@]}"));
</p>
<p> # Check UserConfig-Arguments<br />
COUNT_ARGS=${#USER_CONFIG[@]};<br />
if [[ $COUNT_ARGS -gt 2 ]]; then<br />
# This User has Device-Authentification specified<br />
# Is this the CurrentRequested User<br />
USER_NAME=${USER_CONFIG[1]};<br />
if [[ "$CLIENT_ID" == *"($USER_NAME)"* ]]; then<br />
CURRENT_USER=(${USER_CONFIG[@]});<br />
fi<br />
fi<br />
done;<br />
if [[ "${#CURRENT_USER[*]}" -eq 0 ]]; then CURRENT_USER=(${USER_CONFIG_0[@]}); fi
</p>
<p> CURRENT_IPADDRESS=();<br />
for ARRAY_NAME in ${!IP_CONFIG_@}; do<br />
# Get Data from IPConfig-Array<br />
IP_CONFIG=($(eval "echo \${$ARRAY_NAME[@]}"));
</p>
<p> # Check IPConfig-Arguments<br />
COUNT_ARGS=${#IP_CONFIG[@]};<br />
if [[ $COUNT_ARGS -gt 2 ]]; then<br />
# This IP-Address has a complete DataSet<br />
# Is this the CurrentRequested IP-Address<br />
IP_ADDRESS=${IP_CONFIG[1]};
</p>
<p> if [[ "$CLIENT_IP" == "$IP_ADDRESS" ]]; then<br />
CURRENT_IPADDRESS=(${IP_CONFIG[@]});<br />
fi<br />
fi<br />
done;<br />
if [[ "${#CURRENT_IPADDRESS[*]}" -eq 0 ]]; then CURRENT_IPADDRESS=(${IP_CONFIG_0[@]}); fi
</p>
<p># Configured Device-User-IpAddress Authorization<br />
if [ "${#CURRENT_USER[*]}" -gt 0 ] &amp;&<br />
[ "${#CURRENT_DEVICE[*]}" -gt 0 ] &amp;&<br />
[ "${#CURRENT_IPADDRESS[*]}" -gt 0 ]; then<br />
USER_AUTHORIZED=false;<br />
ID_USER=0;<br />
for AUTH_PARAM in ${CURRENT_USER[@]}; do<br />
if [[ ID_USER -gt 1 ]]; then<br />
if [ "$AUTH_PARAM" == "ALL" ] ||<br />
[ "$AUTH_PARAM" == ${CURRENT_DEVICE[0]} ]; then<br />
USER_AUTHORIZED=true;<br />
fi<br />
fi<br />
let "ID_USER += 1";<br />
done;
</p>
<p> IPADDRESS_AUTHORIZED=false;<br />
ID_IPADDRESS=0;<br />
for AUTH_PARAM in ${CURRENT_IPADDRESS[@]}; do<br />
if [[ ID_IPADDRESS -gt 1 ]]; then<br />
if [ "$AUTH_PARAM" == "ALL" ] ||<br />
[ "$AUTH_PARAM" == ${CURRENT_USER[0]} ]; then<br />
IPADDRESS_AUTHORIZED=true;<br />
fi<br />
fi<br />
let "ID_IPADDRESS += 1";<br />
done;<br />
fi
</p>
<p> AUTHORIZED=false;<br />
AUTH_RESULT="NOT Authorized!";<br />
if [ "$USER_AUTHORIZED" == true ] &amp;&<br />
[ "$IPADDRESS_AUTHORIZED" == true ]; then<br />
AUTHORIZED=true;<br />
AUTH_RESULT="Authorized!";<br />
fi
</p>
<p># Define Logging<br />
if [[ "$ENABLE_LOGGING" == true ]]; then<br />
# Create new Logfile-Entry with current Date, User and Parameters<br />
echo "`date`, User: [$USER]" >> $LOGFILE;<br />
echo " Used Parameters : ['$1' '$2' '$3' '$4' '$5']" >> $LOGFILE;<br />
echo " Selected Device : ${CURRENT_DEVICE[@]}" >> $LOGFILE;<br />
echo " Selected User : ${CURRENT_USER[@]}" >> $LOGFILE;<br />
echo " Selected IP-Address : ${CURRENT_IPADDRESS[@]}" >> $LOGFILE;<br />
echo " Auth-Result : $AUTH_RESULT" >> $LOGFILE;<br />
fi
</p>
<p># Final Authorization of the current Request<br />
logger $AUTH_RESULT;
</p>
<p> if [[ "$AUTHORIZED" == true ]]; then echo $?; echo $AUTH_RESULT; exit 1;<br />
else echo $?; exit 0; fi
</p>
<p>-----<br />
All check OK when I run this script over bash.</p>

#9

Nowhere in that script has any reference to PASSWORD.

I think you need to start with the basics as shown in the example 1 here https://www.virtualhere.com/authorization and get that working first then move on to something more complicated.

#10

Yeah, i've trying simple auth script.
And whatever I use in IF THEN - BIND_PASSWORD_REQUIRED showing...

And I dont mind, why Server required the password.

#11

That script will log values to syslog. Thats what logger does. Look for those entries in syslog to help you figure out what its doing.

#12

In syslog only this

Apr 26 09:42:59 raspberrypi logger: Authorizing -> '0a89' '/sys/bus/usb/devices/1-1.4.1.1' 'user1 (user1)' '192.168.216.111' '0030'
Apr 26 09:42:59 raspberrypi vhusbdarm[22602]: Error binding device 11411 [0a89:0030] to connection 1, BIND_PASSWORD_REQUIRED

#13

And

# Create new Logfile-Entry with current Date, User and Parameters
echo "`date`, User: [$USER]" >> $LOGFILE;
echo " Used Parameters : ['$1' '$2' '$3' '$4' '$5']" >> $LOGFILE;
echo " Selected Device : ${CURRENT_DEVICE[@]}" >> $LOGFILE;
echo " Selected User : ${CURRENT_USER[@]}" >> $LOGFILE;
echo " Selected IP-Address : ${CURRENT_IPADDRESS[@]}" >> $LOGFILE;
echo " Auth-Result : $AUTH_RESULT" >> $LOGFILE;

But in LOGFILE not showing any records when Server run auth.sh..

#14

You need to do what i say otherwise i cannot help. i told you to get example 1 working. yet i see a completely different script and only 5 parameters being passed. No more help until you try example 1

#16

Michael, hi

Bash script, even content some errors, run without problem in bash, but exit code is 2 aaaaaand USBServer accepted "exit 2" as "BIND_PASSWORD_REQUIRED".
:^)
Thats all.

#17

Just then i tested it again. Works fine for me running exactly the code in example 1 on my pi.

It should return BIND_PASSWORD_REQUIRED because it needs a password. The client pops up a password dialog and the user enters a password. The password is then sent to the server and the device can be used.

Many people use this feature and they have no issues so im pretty sure its your setup...

#18

Yes. This is My bad - auth.sh script content some errors and in running bash returned exit code 2. And USBServer sees this exit code and accepts as need of the password. A problem only in it. But yes, of course I agree - it is a problem of a bad script, but not the server.