Forum Discussion
JamesS_40157
Nimbostratus
NimbostratusDaily password access control iRule
Afternoon all,
I'm currently searching for a solution to give access to various virtual servers over the internet by means of a password (using simple www authentication). I already have an irule that does this for a static username and password however I'd like to beef it up a bit and have a daily changing password. We don't have the luxury or option to use APM in this case. I also realise what i am suggesting is not the best security wise however it is the right amount of security for the application in question.
One way i think this could work is by using a command such as this to generate a 10 character random password:
tr -dc A-Za-z0-9_ < /dev/urandom | head -c 10 | xargs
I was then thinking of creating this as a script in cron, which would then output it to a file local on the load balancer, this file could then be read by the iRule in order to use that generated string as the password for the day. This is where i get stuck! I have read a little about iFiles and external datagroups but i am a little confused - my understanding is that you can import the file, but once imported it is in memory, changing the value inside the file wont have any effect on the currently loaded datagroup values.
I am running v11.1 if this helps and we are using partitions - is there an easy way to reference this file on the load balancer within an irule dynamically? Or would cron have to have some sort of datagroup reload command within it once it has generated the file, and if so, what would that be? Any help would be much appreciated :-)
(also if anyone knows of a simpler way to do this and thinks i am re-inventing the wheel then please do tell me as it's driving me a little bonkers :) thanks)
nitassEmployee
not sure if i understand correctly. may we retrieve password using http instead? so, bigip uses sideband to fetch password, put it in table and use it for authentication. this is what watkins did in article below.
Populating Tables With CSV Data Via Sideband Connections by watkins
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1088515/Populating-Tables-With-CSV-Data-Via-Sideband-Connections.aspx
by the way, how does user know password since it is newly generated every day??
JamesS_40157Thanks nitass - that's interesting, we could look at putting the password on a separate server. This actually seems preferable the more i think about it!
Regarding your question about how the user knows about it - good question. The reasoning behind this is that want to allow corporate users unrestricted access to these virtual servers (if they come from an office or vpn connection, which they can do) however occasionally they want to show 3rd parties out on the internet the virtual server content - we dont want to keep these open to the net so the idea is to allow colleagues to look up the password internally, and then send this to 3rd parties out on the internet, and not involving us in the process :)- nitasswe could look at putting the password on a separate server.i understand we can use virtual server name in sideband's connect command. so, web server which hosts password can be just another virtual server.
connect wiki
http://devcentral.f5.com/wiki/iRules.connect.ashx 
LyonsG_85618Cirrostratus
I already have an irule that does this for a static username and password
Hi James
I am looking to do something similar to you but at the basic level.
Can you share your irule for the static username/password?
is it the same as https://devcentral.f5.com/tech-tips...rule-style
Many thanks.
Graham