Two scripts in parallel

Hello,
I would need to run two scripts in parallel on one interface (/dev/ttyUSB0).

Under Ubuntu I simply open two windows.
In one runs “cat” and waits for response.
In the other one something is output with “echo”.

Windows are not possible in IPFire.
But with two consoles it doesn’t work, the hidden one doesn’t seem to react until I go back to it.

Thanks

What is the interface /dev/tty/ACM0 for?
Is it the system console of IPFire?
How do you connect to IPFire?

As a terminal multiplexer you can install the tmux addon.

EDIT: These questions are true for the “new” interface /dev/tty/USB0 also.

Hallo Bernhard,

i have made a small USB dongle with which I want to automatically control various functions in IPFire.
e.g. When plugging in, a specific USB stick mount and when unplugging this delayed eject.

On the dongel should also be stored all access data for the IPFire, so that without this no access is possible.
Therefore I have to send a command to get the access data.
This has the advantage that very long passwords can be used without having to remember or type them.

The whole thing happens in the end in the background without console.
Now it concerns me first of all about the Script test.

I have read that you can start another script with one, and that they should run in parallel.

IMG_20211102_11104412321×1015 302 KB

IMG_20211102_11111011920×803 61.2 KB

Could you please be a bit more specific about the goal of your ‘dongle development’?

• To what parts of IPFire shall it establish a connection?
• How do you want to administer your IPFire installation ( this is the main purpose, i suppose) ?
• Where is the dongle to be attached?
• What OS is running on the dongle?

These informations help us to answer your specific question(s).

To which parts of IPFire do you want it to connect?

• Weblogin & mount/unmount

How do you want to manage your IPFire installation (that’s the main purpose, I assume)?

• Access restriction & service

Where do you want the dongle to be connected?

• free USB socket

What operating system is running on the dongle?

• No operating system it only emulates a serial interface and performs its own functions such as a modem

Sorry, I can’t see your projected system.

Where is the dongle to be used? At the IPFire system? At the configuration PC?
How do you want to authenticate over the serial to the Web interface?

BTW: Each processor needs a kind of operation system. Even the good old while true loop is an OS ( not optimal in reaction time, but sufficient to do primitive tasks ).

Where is the dongle to be used? On the IPFire system? At the configuration PC?

• At the IPFire system

How do you want to authenticate via the serial interface to the web interface?

• the dongle authenticates itself at the IPFire and transfers the password file of the web interface to the IPFire.

By the way, every processor needs some kind of operating system. Even the good old while true loop is an operating system ( not optimal in reaction time, but sufficient to do primitive tasks ).

• The dongle works similar to an FTDI 232 adapter, except that no control PC is connected to the RxD/TxD side. The task is taken over by the dongel.
  Everything is triggered with the help of two udev controls on the IPFire.

The problem can be described roughly like this:

udevScript1( IPFire “echo Klaus” ) —> ttyUSB0 —> Dongel —> ttyUSB0 —> udevScript2( IPFire “cat >file” )

Do I understand right?

• Dongle is inserted, udev executes script1 (echo Klaus )
• Dongle answers with the password, udev executes script2 (cat >file)
• And then ???

First part is a problem of udev config, I think. And to be exact, the scripts are not executed parallel but in sequence. So it should be possible to combine them.
But I`m not an expert with udev.

Why this complicated way? If you have access to a USB port of IPFire, you should also have access to a dedicated LAN port ( you can use blue0, if there is no WLAN ), if you want restrict the access to the Web User Interface.

Do I understand this correctly?

Dongle is plugged in, udev executes script1 (echo Klaus )
Dongle responds with password, udev runs script2 (cat >file)
Then what?
- that was it

The first part is a udev configuration problem, I think. And to be precise, the scripts are not executed in parallel, but one after the other. So it should be possible to combine them.
But I am not an expert with udev.

I once read that a script can execute another script in its own process. (Ubuntu)

I have also tried to run echo and cat in one line in a console.
But I couldn’t get it to work.
echo ‘#Klaus’ > /dev/ttyUSB0 > cat /dev/ttyUSB0 > /var/ipfire/auth/users
echo ‘#Klaus’ > /dev/ttyUSB0 > /var/ipfire/auth/users

Why this complicated way? If you have access to a USB port of the IPFire, you should also have access to a dedicated LAN port (you can use blue0 if there is no WLAN) if you want to restrict access to the web user interface.

• there is no way to join the network.
• there is only red and green

The next dongle still has an RFID interface, LEDs, relays and RS232 (for the old UPS) but that is another topic.

The right syntax for sequential processing in bash would be

echo '#Klaus' > /dev/ttyUSB0 ; cat /dev/ttyUSB0 > /var/ipfire/auth/users

IPFire is administered by two interfaces

• console ( serial or monitor/keyboard, depends on hardware IPFire is running on ); access to the shell as root.
• network; either with SSH to the root shell or the web interface as admin.

So as administrator you should have access to both.
Console access is needed, if there are errors in the network configuration.
The design of IPFire is that most configuration is done in the web interface. The .cgi scripts write the real configuration files and restart services, if modifications demand this.
That means, using IPFire as internet access device for a LAN based system demands an admin access from the LAN!
The web server of IPFire demands password authentification. The data flow is on the connection, which requested the web page, the endpoint of this connection is the web browser.

Bernhard forget about the other stuff that has nothing to do with the problem.

your tip with the ; was correct now a file is created.

echo ‘#Klaus’ > /dev/ttyUSB0 ; cat </dev/ttyUSB0 >/var/ipfire/auth/users

We cannot forget about the other stuff.
You asked about an IPFire possibility, but your problem was basic bash syntax.
The main problem isn’t solved with your dongle, I suppose.

That was the last problem with the IPFire communicating with the dongle.
I have already done the rest on other Ubuntu servers.

How did you manage this.
Maybe your solution would be interesting for projects with similiar restrictions.

So if I bring a modified serial dongle, like an Arduino Nano with custom USB firmware… I could install my own password file onto your machine just by plugging in that dongle? Very nice, saves a lot of work!
(I don’t mean to be rude, but this sounds like a very bad idea.)

A Crypt programme is running on the dongel.
Only if the IPFire gives the correct answer when it is plugged in does it receive the second key for decrypting its password file.
Otherwise it sends nothing and locks itself.
If the answer is missing or wrong, the USB dongle is rejected by the IPFire for 1 hour.

Is that enough?

You did deep modifications to IPFire, right?

To understand them, you should describe them.
How is the administration interface called?
Have you modified the apache config? If yes, how?
How do you assure, a core upgrade doesn’t destroy your modifications? Apache is a main part of the IPFire distribution, so it can be changed by an update massively. Such a modification usually considers all known features. To assure your ‘private’ features are not violated, you must engage in testing new core updates.BTW: ‘private features’ are not really compatible with Open Source.

The other side is your HW solution of security. Dongles are devices which can be taken away and cloned. This is one reason why they aren’t be used widely anymore nowadays.
A software system is best secured by good software mechanisms implemented with a deep systems knowledge. My opinion.

You’ve made profound changes to IPFire, right?

no

To understand them, you should describe them.
How to access the administration interface?

• local login without changes
• weblogin is controlled by dongel & script

Have you changed the Apache configuration? If yes, how?

• no the passwords are in the same directory

How do you ensure that a core upgrade does not break your modifications? Apache is a major component of the IPFire distribution, so it can be massively modified by an update. Such a modification usually takes into account all known features. To make sure your ‘private’ features are not violated, you need to get involved with testing new core updates.

• the only interface to Apache is the password file. As long as nothing is changed in the existing login concept there will be no impact.
• During the core upgrade only the standart udev rules are processed, since I create my own there is no collision here.

The other side is your HW solution of security. Dongles are devices that can be taken away and cloned. That is one reason why they are not used as much these days.

• it depends on how the dongle works and how it reacts to errors.
• Code is not readable/changeable
• With wrong dongel the system locks itself (USB dongel) and you need administrative rights to unlock the system.
  V2+ in version 2 there are still some options e.g. RFID access card
  V2+ with each new registration two new keys are generated and one each on the Dongel and RFID card stored.
  V+ In case of a faulty key, the dongle is locked and unusable (can no longer be programmed and the USB interface is deactivated).

A software system is best secured by good software mechanisms implemented with deep system knowledge". My opinion.

• Yes the software on the IPFire is the weak point but I think that’s not the dongel’s job as it doesn’t touch those rights.

Translated with DeepL Translate: The world's most accurate translator (free version)

How do you control login to WebUI without modifications to the apache config?

How do you lock the system?
You need administrative rights yet to change IPFire’s configuration!
Your efforts in generating µC based dongles are interesting, but if I remember right from previous discussions your problem lies in administrative access to your system. This is an issue in your network design, not in access to your IPFire.

Hello Leo H,

So if I bring a modified serial dongle, e.g. an Arduino Nano with custom USB firmware, I can install my own password file on your machine just by plugging in the dongle? Very nice, that saves a lot of work!
(I don’t want to be rude, but this sounds like a very bad idea).

It is not supposed to be that simple.
There should be security mechanisms that can prove the validity of the dongle. e.g.:

• key rotation
• certificates
• 2. identification (RFID card, PIN, barcode scanner …)
• …

Don’t panic, it is only about the feasibility of such an option.

The biggest weakness is that the software on the IPFire can be easily manipulated after login.
But I don’t want to dive that deep into the IPFire concept. If you want someone can write a program to do that.