Re: [pfSense Support] Add/Change PPTP user accounts from SSH command line.
Karl Fife wrote:
I am trying to create a 2-factor authentication system for PPTP on
pfSense, and its feasibility depends upon being able to script the
addition/deletion/modification of PPTP user accounts. Can anyone tell
me what the command-line would be for adding user 'scott' identified
by the password 'tiger1234'? What would be the command for removing
the user 'scott'?
The bigger picture would be that a road-warrior (Instead of carrying
an RSA, SecurID or Yubikey) would simply call a special telephone
number (Hosted by our Asterisk PBX) just prior to PPTP connection. The
call would trigger our Asterisk server to generate a single-use
password suffix. The single-use password suffix would be sent to the
user's known phone number ("something you have") via our SMS gateway,
or via callback for voice delivery (to eliminate CALLID spoof
vulnerability). Asterisk would then look up, and prepend the user's
'chosen' password to the single-use password ("something you know"),
and then connect to pfSense to insert the PPTP user account, and
schedule its subsequent removal.
I may also require to have the user record something in their own
voice to validate "Something you are". While not a true third factor,
this would give a margin of security for detecting unauthaorized
access attemps.
Any CLI help would be appreciated!
Thanks!
-Karl
What's the budget?
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Add/Change PPTP user accounts from SSH command line.
On 4/23/2010 7:10 PM, Karl Fife wrote:
> I am trying to create a 2-factor authentication system for PPTP on
> pfSense, and its feasibility depends upon being able to script the
> addition/deletion/modification of PPTP user accounts. Can anyone tell
> me what the command-line would be for adding user 'scott' identified by
> the password 'tiger1234'? What would be the command for removing the
> user 'scott'?
>
> The bigger picture would be that a road-warrior (Instead of carrying an
> RSA, SecurID or Yubikey) would simply call a special telephone number
> (Hosted by our Asterisk PBX) just prior to PPTP connection. The call
> would trigger our Asterisk server to generate a single-use password
> suffix. The single-use password suffix would be sent to the user's
> known phone number ("something you have") via our SMS gateway, or via
> callback for voice delivery (to eliminate CALLID spoof vulnerability).
> Asterisk would then look up, and prepend the user's 'chosen' password to
> the single-use password ("something you know"), and then connect to
> pfSense to insert the PPTP user account, and schedule its subsequent
> removal.
>
> I may also require to have the user record something in their own voice
> to validate "Something you are". While not a true third factor, this
> would give a margin of security for detecting unauthaorized access attemps.
>
> Any CLI help would be appreciated!
There is no real way to pull this off from the CLI. The code needed to
add/remove PPTP users is tied to the GUI. Even if you can edit the
"live" password list, then it would not appear in the GUI for management
there.
Why not set PPTP to use a RADIUS server for authentication instead? You
could probably write some simple scripts to insert/delete account info
into a RADIUS database (probably just mysql if you're using something
like FreeRADIUS). Plus you could also have accounting data from login
sessions.
It could be done with the built-in database, but it wouldn't be a quick
and easy fix. (Read: It would probably cost some developer time, either
a bounty or some support hours if you are a commercial support customer)
Jim
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
[pfSense Support] Add/Change PPTP user accounts from SSH command line.
I am trying to create a 2-factor authentication system for PPTP on pfSense,
and its feasibility depends upon being able to script the
addition/deletion/modification of PPTP user accounts. Can anyone tell me
what the command-line would be for adding user 'scott' identified by the
password 'tiger1234'? What would be the command for removing the user
'scott'?
The bigger picture would be that a road-warrior (Instead of carrying an RSA,
SecurID or Yubikey) would simply call a special telephone number (Hosted by
our Asterisk PBX) just prior to PPTP connection. The call would trigger our
Asterisk server to generate a single-use password suffix. The single-use
password suffix would be sent to the user's known phone number ("something
you have") via our SMS gateway, or via callback for voice delivery (to
eliminate CALLID spoof vulnerability). Asterisk would then look up, and
prepend the user's 'chosen' password to the single-use password ("something
you know"), and then connect to pfSense to insert the PPTP user account, and
schedule its subsequent removal.
I may also require to have the user record something in their own voice to
validate "Something you are". While not a true third factor, this would
give a margin of security for detecting unauthaorized access attemps.
Any CLI help would be appreciated!
Thanks!
-Karl
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Wierd CARP problem
On Thu, Apr 22, 2010 at 7:51 PM, Dimitri Rodis > wrote: >> >> I would really like to see this work reliably at some point. From what I can >> tell, this problem is not limited to just Fireboxes, >it is on pretty much >> all NICs that have >> RTL8139C+ chips on them. >> > >There is something specific about the Fireboxes (and some other >scenarios), but the re(4) driver isn't always that problematic. I have >at least two boxes that function normally even under heavy load with >such cards. Yes, the re(4) driver is considered stable-- but it depends on which Realtek chip you're talking about. The RTL8139C+ chip specifically has (and has had) this problem since 6.x from what I can tell, and there were/are apparently a number of things were causing timeouts. A good portion of those issues have been fixed by Pyun over the last couple of years, (which have reduced the occurence of timeouts with RTL8139C+ chips--this I can personally attest to), but there are some other "undiscovered" cases where they still occur. I am also willing to put more time into testing/fixing it, but when the maintainer of the driver itself cries uncle, I'm not going to twist his arm unless I have something that makes sense for him to change (and I am out of ideas). What he believes is that there is some undocumented change (or bug) in that chip that we wouldn't have any hope of fixing without an engineer from Realtek. So, if anyone has any connections, the entire "FreeBSD-Realtek-RTL8139C+-using" community would likely thank you.profusely even :)
