[PATCH] Multi-factor authentication plugin hook

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

This patch introduces a plugin for MFA support for PPP servers.

This initial version has only been tested for CHAP logins, as that is
what we are using at work thus what I can test.  It is in production use
on our L2TP VPN server with a plugin that calls out to Duo.  It will
likely require expanding to cover all client-to-server authentication
paths.

The idea here is simple, for a MFA platform that just requires the
username being authenticated, this allows a plugin that will go off and
do this. Unlike the existing authentication hooks, this is enabled for
server-side use.
It won't work with those MFAs that require a one-time password to be entered in addition to the regular password, but does work for those that push an authentication request to an app on a mobile phone. 

I am sharing this in the off-chance that it might be useful to somebody.

Michael McConnell
Fri 28 Jan 2022

diff -urN ppp-2.4.9.orig/pppd/auth.c ppp-2.4.9/pppd/auth.c
--- ppp-2.4.9.orig/pppd/auth.c  2021-01-04 23:06:37.000000000 +0000
+++ ppp-2.4.9/pppd/auth.c       2022-01-28 10:47:21.190270504 +0000
@@ -202,6 +202,9 @@

 int (*allowed_address_hook)(u_int32_t addr) = NULL;

+/* Hook for a plugin to perform MFA given the user/client name */
+int (*auth_mfa_hook) __P((char *mfauser)) = NULL;
+
 #ifdef HAVE_MULTILINK
 /* Hook for plugin to hear when an interface joins a multilink bundle */
 void (*multilink_join_hook)(void) = NULL;
@@ -1454,6 +1457,10 @@
     slprintf(user, sizeof(user), "%.*v", userlen, auser);
     *msg = "";

+    /* Try MFA, if the plugin returns nonzero we fail to authenticate */
+    if (auth_mfa_hook)
+      if ( (*auth_mfa_hook)(user) ) return UPAP_AUTHNAK;
+
     /*
      * Check if a plugin wants to handle this.
      */
@@ -1812,6 +1819,10 @@
            free_wordlist(addrs);
     }

+    /* Try MFA, if the plugin returns nonzero we fail to authenticate */
+    if (auth_mfa_hook)
+      if ( (*auth_mfa_hook)(client) ) return 0;
+
     len = strlen(secbuf);
     if (len > MAXSECRETLEN) {
        error("Secret for %s on %s is too long", client, server);
diff -urN ppp-2.4.9.orig/pppd/pppd.h ppp-2.4.9/pppd/pppd.h
--- ppp-2.4.9.orig/pppd/pppd.h  2021-01-04 23:06:37.000000000 +0000
+++ ppp-2.4.9/pppd/pppd.h       2022-01-28 10:47:21.192289610 +0000
@@ -767,6 +767,9 @@
 extern int (*eaptls_passwd_hook)(char *user, char *passwd);
 #endif

+/* Hook for a plugin to perform MFA given the user/client name */
+extern int (*auth_mfa_hook) __P((char *mfauser));
+
 /* Let a plugin snoop sent and received packets.  Useful for L2TP */
 extern void (*snoop_recv_hook)(unsigned char *p, int len);
 extern void (*snoop_send_hook)(unsigned char *p, int len);
[Index of Archives]     [Linux Audio Users]     [Linux for Hams]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Fedora Users]

  Powered by Linux