Password protect Specific Usb device

18 posts / 0 new
Last post
Sida
Password protect Specific Usb device

Hi to all.
I am tryng to use ClientAuthorization for protect specific dongle (with defined vendor id)
I am using Virtualhere licensed server on raspberry pi2

I set ClientAuthorization=1 in config.ini

My problem is I am tryng to use example 2 script descrived here:
https://www.virtualhere.com/authorization

But in auth script i not see password request box for define pass and ask it to averyone user connected on the server.

Someone can help me?

Thanks a lot

Michael
.

Example 2 returns 1 if the user is allowed to use the device and 0 if they are not allowed.

You need to return 2 so that the client knows to ask for a password. The client will then send the password back to the server in the $PASSWORD$ field

Note in the first example the lines

# Return 2 if the user needs to provide a password (or the password is incorrect) to use the device
# Return 1 if the user is allowed to access this device
# Return 0 if the user is not allowed to access this device

You need to return specifically 2 to ask for the password

Sida
I tried with example 1

I tried with example 1

This is My config.ini:
It=
License=
ServerName=SiDa Electronics
DeviceNicknames=Dtc,0471,485d,112,A,0471,485d,114
PingInterval=2
ClientAuthorization=/root/auth.sh "$0471$" "$485d$" "$PASSWORD$"

This is my Auth.sh
#!/bin/bash
# Example script for performing basic user authorization for virtualhere
# Also includes a simple password protection mechanism for accessing a device
# Return 2 if the user needs to provide a password (or the password is incorrec$
# Return 1 if the user is allowed to access this device
# Return 0 if the user is not allowed to access this device
# Parameters are passed in as:
# $1 = PASSWORD

logger "Authorizing -> '$1'"
# "mypassword" = "34819d7beeabb9260a5c854bc85b3e44" as an MD5 hash
if [ "$6" == "34819d7beeabb9260a5c854bc85b3e44" ]; then
echo "Password ok"
logger "Authorized!"
exit 1
else
exit 2

fi

There is something wrong?
When I try to connect to 1 of my 2 devices connected there is a pop up asking password but if I insert nothing response, it ask me another time
The strange things is I specified product_id and client_id but sw ask me password for both devices connected

Can you help me?

Sida
Someone is able to find the

Someone is able to find the problem in my configuration?

Michael
.

Sorry was out of the office for a week hence the delays:

Firstly make sure you script is at /root/auth.sh and is executable (chmod +x)
Secondly the line ClientAuthorization=/root/auth.sh "$0471$" "$485d$" "$PASSWORD$" does not make sense. You need to pass in exactly this

ClientAuthorization=/root/auth.sh "$VENDOR_ID$" "$PRODUCT_ID$" "$PASSWORD$"

Thirdly your script doesnt make sense, you are asking if $6 is the password, but the password is the third parameter e.g $3 as shown in the line above. So test $3 instead of $6. At least look in syslog to see what its logging . The entry "Authorizing $1" is written to syslog so switch that to $3

slakwik
Always need BIND_PASSWORD_REQUIRED

Hi

In config.ini I wrote
clientAuthorization=/home/pi/virtualusb/auth.sh "$VENDOR_ID$" "$PRODUCT_ID$" "$CLIENT_ID$" "$CLIENT_IP$" "$DEVPATH$"
And when I connect to usb over windows client - always required password and log error "Error binding device 1143 [xxxx:xxxx] to connection 1, BIND_PASSWORD_REQUIRED".
Auth script is not contain "Error 2" in return...

What happend? I`m trying in ARM and ARMPI3 versions with same trouble

=(

Michael
.

Paste your /home/pi/virtualusb/auth.sh script here

slakwik
#!/bin/sh

#!/bin/sh
# Example script for performing advanced user authorization for VirtualHere
# Sponsored by ben@wildblue.de
#
# Return 1 if the user is allowed to access this device
# Return 0 if the user is not allowed to access this device
#
# Parameters are passed in as:
# $1 = VENDOR_ID
# $2 = PRODUCT_ID
# $3 = CLIENT_ID
# $4 = CLIENT_IP
# $5 = PRODUCT_SERIAL
#
#
# ----------------------------------------------------------------------
# clientAuthorization=/home/pi/virtualusb/auth.sh "$VENDOR_ID$" "$DEVPATH$" "$CLIENT_ID$" "$CLIENT_IP$" "$PRODUCT_ID$"
logger "Authorizing -> '$1' '$2' '$3' '$4' '$5'";

# Enable Logging of all Requests
ENABLE_LOGGING=true;
LOGFILE=/var/log/VirtualHere_Auth.log;
# Configured Devices
# DEVICE_CONFIG_X=( UniqueID "Device_NickName" "VendorID" "ProductID");
DEVICE_CONFIG_0=( 0 "NotConfiguredDevices" );
# buh dongle
DEVICE_CONFIG_1=( 1 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.1.2" );
DEVICE_CONFIG_2=( 2 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.1.3" );
DEVICE_CONFIG_3=( 3 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.1.4" );
DEVICE_CONFIG_4=( 4 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.1.5" );
DEVICE_CONFIG_5=( 5 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.2.1.6" );
DEVICE_CONFIG_6=( 6 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.1.7" );
DEVICE_CONFIG_7=( 7 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.3.1.1" );
DEVICE_CONFIG_8=( 8 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.3.1.3" );
DEVICE_CONFIG_9=( 9 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.3.1.4" );
DEVICE_CONFIG_10=( 10 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.3.1.5" );
DEVICE_CONFIG_11=( 11 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.3.1.6" );
DEVICE_CONFIG_12=( 12 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.3.1.7" );
DEVICE_CONFIG_13=( 13 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.2" );
DEVICE_CONFIG_14=( 14 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.2.3" );
DEVICE_CONFIG_15=( 15 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.2.4" );
DEVICE_CONFIG_16=( 16 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.3.2" );
DEVICE_CONFIG_17=( 17 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.3.3" );
DEVICE_CONFIG_18=( 18 "UsbDongle" "0529" "/sys/bus/usb/devices/1-1.3.4" );
DEVICE_CONFIG_19=( 19 "UsbDongle" "24dc" "/sys/bus/usb/devices/1-1.2.1.1" );
# bank dongle
DEVICE_CONFIG_20=( 20 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.4.1.1" ); #BK4
DEVICE_CONFIG_21=( 21 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.4.1.3" ); #BK5
DEVICE_CONFIG_22=( 22 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.4.3" ); #BK2
DEVICE_CONFIG_23=( 23 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.4.4" ); #BK3
DEVICE_CONFIG_24=( 24 "UsbDongle" "0a89" "/sys/bus/usb/devices/1-1.4.2" ); #BK1

# Configured Users
# USER_CONFIG_X=( UniqueID "username" USB-IDs );
USER_CONFIG_0=( 0 "Everyone" );
USER_CONFIG_1=( 1 "user1" ALL );
USER_CONFIG_2=( 2 "ES-3" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 );
USER_CONFIG_3=( 3 "order" 19 20 21 22 23 );
USER_CONFIG_4=( 4 "order" 19 20 21 22 23 );
# USER_CONFIG_4=( 4 "" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 );

# Configured IP-Addresses
# IP_CONFIG_X=( UniqueID "IP-address" UserIDs );
IP_CONFIG_0=( 0 "NotConfiguredAddresses" );
IP_CONFIG_1=( 1 "192.168.84.23" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 );
IP_CONFIG_2=( 2 "192.168.211.121" ALL );
IP_CONFIG_3=( 3 "192.168.1.36" 19 20 21 22 23 );
IP_CONFIG_4=( 4 "192.168.1.37" 19 20 21 22 23 );

# ----------------------------------------------------------------------
# Map Parameters to readable VariableNames
VENDOR_ID=$1;
PRODUCT_ID=$2;
CLIENT_ID=$3;
CLIENT_IP=$4;
PRODUCT_SERIAL=$5;

# Pre-Authorization-Check (requested User and current Device must be configured)
CURRENT_DEVICE=();
for ARRAY_NAME in ${!DEVICE_CONFIG_@}; do
# Get Data from DeviceConfig-Array
DEVICE_CONFIG=($(eval "echo \${$ARRAY_NAME[@]}"));

# Check DeviceConfig-Arguments
COUNT_ARGS=${#DEVICE_CONFIG[@]};
if [[ $COUNT_ARGS -eq 4 ]]; then
# This Device has a complete DataSet
# Is this the CurrentRequested Device
DEVICE_UID=${DEVICE_CONFIG[0]};
DEVICE_NICKNAME=${DEVICE_CONFIG[1]};
DEVICE_VENDOR_ID=${DEVICE_CONFIG[2]};
DEVICE_PRODUCT_ID=${DEVICE_CONFIG[3]};

if [ "$VENDOR_ID" == "$DEVICE_VENDOR_ID" ] &&
[ "$PRODUCT_ID" == "$DEVICE_PRODUCT_ID" ]; then
CURRENT_DEVICE=(${DEVICE_CONFIG[@]});
fi
fi
done;
if [[ "${#CURRENT_DEVICE[*]}" -eq 0 ]]; then CURRENT_DEVICE=(${DEVICE_CONFIG_0[@]}); fi

CURRENT_USER=();
for ARRAY_NAME in ${!USER_CONFIG_@}; do
# Get Data from UserConfig-Array
USER_CONFIG=($(eval "echo \${$ARRAY_NAME[@]}"));

# Check UserConfig-Arguments
COUNT_ARGS=${#USER_CONFIG[@]};
if [[ $COUNT_ARGS -gt 2 ]]; then
# This User has Device-Authentification specified
# Is this the CurrentRequested User
USER_NAME=${USER_CONFIG[1]};
if [[ "$CLIENT_ID" == *"($USER_NAME)"* ]]; then
CURRENT_USER=(${USER_CONFIG[@]});
fi
fi
done;
if [[ "${#CURRENT_USER[*]}" -eq 0 ]]; then CURRENT_USER=(${USER_CONFIG_0[@]}); fi

CURRENT_IPADDRESS=();
for ARRAY_NAME in ${!IP_CONFIG_@}; do
# Get Data from IPConfig-Array
IP_CONFIG=($(eval "echo \${$ARRAY_NAME[@]}"));

# Check IPConfig-Arguments
COUNT_ARGS=${#IP_CONFIG[@]};
if [[ $COUNT_ARGS -gt 2 ]]; then
# This IP-Address has a complete DataSet
# Is this the CurrentRequested IP-Address
IP_ADDRESS=${IP_CONFIG[1]};

if [[ "$CLIENT_IP" == "$IP_ADDRESS" ]]; then
CURRENT_IPADDRESS=(${IP_CONFIG[@]});
fi
fi
done;
if [[ "${#CURRENT_IPADDRESS[*]}" -eq 0 ]]; then CURRENT_IPADDRESS=(${IP_CONFIG_0[@]}); fi

# Configured Device-User-IpAddress Authorization
if [ "${#CURRENT_USER[*]}" -gt 0 ] &&
[ "${#CURRENT_DEVICE[*]}" -gt 0 ] &&
[ "${#CURRENT_IPADDRESS[*]}" -gt 0 ]; then
USER_AUTHORIZED=false;
ID_USER=0;
for AUTH_PARAM in ${CURRENT_USER[@]}; do
if [[ ID_USER -gt 1 ]]; then
if [ "$AUTH_PARAM" == "ALL" ] ||
[ "$AUTH_PARAM" == ${CURRENT_DEVICE[0]} ]; then
USER_AUTHORIZED=true;
fi
fi
let "ID_USER += 1";
done;

IPADDRESS_AUTHORIZED=false;
ID_IPADDRESS=0;
for AUTH_PARAM in ${CURRENT_IPADDRESS[@]}; do
if [[ ID_IPADDRESS -gt 1 ]]; then
if [ "$AUTH_PARAM" == "ALL" ] ||
[ "$AUTH_PARAM" == ${CURRENT_USER[0]} ]; then
IPADDRESS_AUTHORIZED=true;
fi
fi
let "ID_IPADDRESS += 1";
done;
fi

AUTHORIZED=false;
AUTH_RESULT="NOT Authorized!";
if [ "$USER_AUTHORIZED" == true ] &&
[ "$IPADDRESS_AUTHORIZED" == true ]; then
AUTHORIZED=true;
AUTH_RESULT="Authorized!";
fi

# Define Logging
if [[ "$ENABLE_LOGGING" == true ]]; then
# Create new Logfile-Entry with current Date, User and Parameters
echo "`date`, User: [$USER]" >> $LOGFILE;
echo " Used Parameters : ['$1' '$2' '$3' '$4' '$5']" >> $LOGFILE;
echo " Selected Device : ${CURRENT_DEVICE[@]}" >> $LOGFILE;
echo " Selected User : ${CURRENT_USER[@]}" >> $LOGFILE;
echo " Selected IP-Address : ${CURRENT_IPADDRESS[@]}" >> $LOGFILE;
echo " Auth-Result : $AUTH_RESULT" >> $LOGFILE;
fi

# Final Authorization of the current Request
logger $AUTH_RESULT;

if [[ "$AUTHORIZED" == true ]]; then echo $?; echo $AUTH_RESULT; exit 1;
else echo $?; exit 0; fi

-----
All check OK when I run this script over bash.

Michael
.

Nowhere in that script has any reference to PASSWORD.

I think you need to start with the basics as shown in the example 1 here https://www.virtualhere.com/authorization and get that working first then move on to something more complicated.

slakwik
Yeah, i've trying simple auth

Yeah, i've trying simple auth script.
And whatever I use in IF THEN - BIND_PASSWORD_REQUIRED showing...

And I dont mind, why Server required the password.

Michael
.

That script will log values to syslog. Thats what logger does. Look for those entries in syslog to help you figure out what its doing.

slakwik
In syslog only this

In syslog only this

Apr 26 09:42:59 raspberrypi logger: Authorizing -> '0a89' '/sys/bus/usb/devices/1-1.4.1.1' 'user1 (user1)' '192.168.216.111' '0030'
Apr 26 09:42:59 raspberrypi vhusbdarm[22602]: Error binding device 11411 [0a89:0030] to connection 1, BIND_PASSWORD_REQUIRED

slakwik
And

And

# Create new Logfile-Entry with current Date, User and Parameters
echo "`date`, User: [$USER]" >> $LOGFILE;
echo " Used Parameters : ['$1' '$2' '$3' '$4' '$5']" >> $LOGFILE;
echo " Selected Device : ${CURRENT_DEVICE[@]}" >> $LOGFILE;
echo " Selected User : ${CURRENT_USER[@]}" >> $LOGFILE;
echo " Selected IP-Address : ${CURRENT_IPADDRESS[@]}" >> $LOGFILE;
echo " Auth-Result : $AUTH_RESULT" >> $LOGFILE;

But in LOGFILE not showing any records when Server run auth.sh..

Michael
.

You need to do what i say otherwise i cannot help. i told you to get example 1 working. yet i see a completely different script and only 5 parameters being passed. No more help until you try example 1

slakwik
OK. I'll try this tomorrow.

OK. I'll try this tomorrow.
Thanks.

slakwik
some

Michael, hi

Bash script, even content some errors, run without problem in bash, but exit code is 2 aaaaaand USBServer accepted "exit 2" as "BIND_PASSWORD_REQUIRED".
:^)
Thats all.

Michael
.

Just then i tested it again. Works fine for me running exactly the code in example 1 on my pi.

It should return BIND_PASSWORD_REQUIRED because it needs a password. The client pops up a password dialog and the user enters a password. The password is then sent to the server and the device can be used.

Many people use this feature and they have no issues so im pretty sure its your setup...

slakwik
yes

Yes. This is My bad - auth.sh script content some errors and in running bash returned exit code 2. And USBServer sees this exit code and accepts as need of the password. A problem only in it. But yes, of course I agree - it is a problem of a bad script, but not the server.

Log in or register to post comments