I use easy rsa (https://github.com/OpenVPN/easy-rsa) to build my tiny ca and its clients / servers. Since its just for learning purposes, I was thinking about doing some automatization. Normally I can create files needed by client typing:
./easyrsa build-client-full client
From now on you can log into B as b from A as a without password: a@A: ssh b@B A note from one of our readers: Depending on your version of SSH you might also have to do the following changes.
but what when I need ~ 500 different client files?
cp
its not what I want here.I tried to write a little bash script to help myself out:
But it simply 'does not work'. When I build my client files in terminal I have to give 2 client passwords and the ca password. The main problem is I dont know how on earth pass it within script - is that possible? My script gives me
Ignoring unknown command option:
as output. mirx
mirxmirx
1 Answer
Reading through the easyrsa source code, it seems that the
build-client-full
command only takes one argument: name
. So, the error that you get is simply because it does not know what to do with the passwords you have added on the command line. I guess that the program asks you for these passwords interactively, so you must supply them to the program via stdin
.Hacking easyrsa
NOTE: OpenSSL (the backend of
easyrsa
) does not listen to stdin
bydefault. To make it do so, we must add '-passout stdin'
(since it is apassword saved in an output file) to the OpenSSL command line. Alternatively, one could add '-passout file:passfile'
if the passwords are kept in the file passfile'. To makeit harder,
easyrsa` does not have an easy way of adding arguments tothe OpenSSL command. Thus, we must change the source code somehow.However, this is easy.To be able to use the alternatives below, add this into the
gen_req
function of easyrsa
after the definition of local opts=
:Also, it seems that OpenSSL closes the
stdin
stream after its firstuse (in gen_req
), so it can't also be used for signing with the CAcertificate (in sign_req
). We can tell OpenSSL to read from a file instead ofreading from stdin
(it may also be used for the above)(NOTE: The solutions below are kept mostly for future reference, in cases where multiple calls to OpenSSL is not involved...)
'General solution' #1: Pipes
One way to pass passwords through stdin is to start a subshell and then pipe it to easyrsa, which would simulate the actual keypresses you would have done manually. Your example would then look like this:
Instead of creating a subshell, you could change the
(echo $pass; echo ...)
toor
depending on what you find the most readable.
'General solution' #2: stdin redirection
The above alternative has the drawback that the passwords will appear in process listings (such as
ps
), and is thus from a security standpoint a bad idea if you are on a shared box. A better way would to create a file with the passwords, like this:Then, you invoke easyrsa in your loop above by simply writing:
where
passfile
is your file with the passwords. This of course assumes that you have the same password for all files.JoskarJoskar
Not the answer you're looking for? Browse other questions tagged bash or ask your own question.
Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.
Sign upHave a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
commented Sep 5, 2017
openvpn-build commit OpenVPN/openvpn-build@cb9a523 breaks all easyrsa on Windows because openvpn binaries (including openssl) are no longer added to PATH during install. |
changed the titleOpenvpn Windows installer dropping feature 'add openvpn to PATH' - easyrsa can no longer find opensslSep 5, 2017
changed the titleeasyrsa can no longer find opensslSep 5, 2017
commented Sep 5, 2017
This doesn't seem like an EasyRSA problem, but actually a problem with how OpenVPN is packaging and installing the software. |
referenced this issue Sep 5, 2017
Closedreplace EnvVarUpdate.nsh with AddToPath.nsh #103
commented Sep 6, 2017
@TinCanTech : good catch. I believe a typical way to handle this is to have 'EasyRSA command-prompt' shortcut in the Start menu with the correct PATH. That way system path does not have to be modified. |
referenced this issue Sep 6, 2017
MergedStop modifying path to avoid problems #105
commented Sep 6, 2017
As there is some debate as to who this problem belongs to it seems only sensible to keep further discussion in this thread OpenVPN/openvpn-build#103 If/when a solution is found then this EasyRSA issue #148 can be closed. |
added a commit to mattock/easy-rsa-old that referenced this issue Sep 20, 2017
Set openssl PATH based on registry registry lookup
referenced this issue Sep 20, 2017
MergedSet openssl PATH based on registry registry lookup #5
commented Sep 20, 2017
FYI: proposed fix for easy-rsa-old: OpenVPN/easy-rsa-old#5 |
commented Sep 25, 2017
@TinCanTech : care to review the proposed fix for easy-rsa-old? I need to build Windows installers tomorrow and would like to have someone review and test the changes before I merge them. And time is running short as I have to build new Windows installers tomorrow. |
commented May 3, 2018
I have this problem in openvpn-install-2.4.6-I602 ... |
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment