1v 0.1 gpk@onramp.net 3/27/99 2 3I Intro 4 5 This document covers the use of the modified "chat" program and its 6adjunct "chatchat" to login using the Security Dynamics SecurID card 7on a linux system. 8 9 This set of files comprises a modified version of the chat program 10(the one distributed with ppp-2.3.5) and a new program called chatchat 11that allows you to supply data from the keyboard to the chat program. 12 13 The SecurID card generates passwords that have a lifetime of one 14minute and are used as a first layer in dial up security. The only 15software I know of for this card is for windows, so I wrote my own. 16This software allows you to type in the time-sensitive password right 17when your chat script is asked to supply the passcode by the remote 18system. 19 20 21II How It Works 22 23 This version of chat his an additional command that can be put into 24its options that says "Don't reply with this string. Open this pipe, 25read the contents, and reply with that instead." Chatchat creates a 26pipe and lets you type your passcode into it, then chat picks that up 27and sends it out just as though the passcode was hardcoded into the 28options. 29 30 31III Installation 32 33 I've provided intel binaries and source code the the modified chat 34program and the chatchat program. I'll recommend that you copy the 35chat.c program into your ppp-2.3.5/chat directory (save your original 36chat.c program first!) and re-make it using the Makefile that comes 37with chat. Copy the new chat somewhere into your path. (On my system 38chat lives in /usr/sbin/chat, so I've copied the modified one into 39/usr/sbin/chat.new and changed my dial in script to call chat.new 40instead of chat. 41 42 Second, compile chatchat.c and install it somewhere in your path: 43 44 gcc -g -o chatchat chatchat.c 45 cp chatchat /usr/sbin 46 47 Third, modify your chat script to use the chatchat program. Mine 48looks something like this: 49 50 51 -------------------- 52 53#!/bin/sh 54# 55# This is part 2 of the ppp-on script. It will perform the connection 56# protocol for the desired connection. 57# use atm0 to turn down the speaker volume on my sportster x2 voice modem 58# gpk 11/2/97 59 60exec /usr/sbin/chat.new -V -v \ 61 ABORT "BUSY" \ 62 ABORT "NO DIAL TONE" \ 63 ABORT "NO ANSWER" \ 64 TIMEOUT 50 \ 65 "" "atm0" \ 66 OK ATDT$TELEPHONE \ 67 CONNECT '' \ 68 name: \\da0xxxxxx \ 69 word: @/var/tmp/p \ 70 compress. '' 71 72 73 ----------------------- 74 75 This is a standard chat script: 76 77* abort if the modem is busy, you don't get a dial tone, no one 78 answers, or 50 seconds elapses. 79 80* use atm0 to mute the modem 81 82* dial the modem, when it connects, wait to be asked for account name 83 84* when we see "name:" prompt, delay briefly then respond with your 85 account name (fill in your account name) 86 87Now we get to the new stuff: 88 89* when we see "word:" in the password prompt, instead of responding 90 with "@/var/tmp/p", the modified chat program will open the pipe 91 /var/tmp/p, read the passcode out of there, and send it 92 93* when we see "compress." (the last word before ppp starts), reply 94 with nothing. The script ends and we start ppp. 95 96Note: 97 98* Make sure there is some whitespace between the filename and the \. 99 100 101IV Usage 102 103 To use this install the modified chat and chatchat programs, and 104modify your chat script similar to the above. Before you dial in, 105start that chatchat program giving it the same pipe as in your config 106file. In the above case: 107 108chatchat /var/tmp/p 109 110 Wait until you have one or two tick marks left on your card's 111current number, then start your dial up process that eventually calls 112chat. When chat goes to open and read the pipe, chatchat will prompt: 113 114 115type PIN into SecurID card and 116 enter resulting passcode: 117 118 At that point, type your PIN number into your Securid card, press 119the diamond, and type the resulting numbers in as your passcode. If 120you've left the -V -v options on your chat command you'll see 121everything so out, otherwise it works silently. 122 123 If you type the number wrong or run out of time, the server will 124respond with an authentication failure. In that case you will have to 125hang up and start again. I don't know how to build a conditional script 126that says either expect "compress" next, but if you see "name:" again, 127do this instead. 128 129 130V Additional Information 131 132 You can obtain additional information about chat and ppp from the 133man pages for chat and pppd, as well as the PPP-HOWTO. 134 135