On 4/23/2010 7:10 PM, Karl Fife wrote:
> I am trying to create a 2-factor authentication system for PPTP on
> pfSense, and its feasibility depends upon being able to script the
> addition/deletion/modification of PPTP user accounts. Can anyone tell
> me what the command-line would be for adding user 'scott' identified by
> the password 'tiger1234'? What would be the command for removing the
> user 'scott'?
>
> The bigger picture would be that a road-warrior (Instead of carrying an
> RSA, SecurID or Yubikey) would simply call a special telephone number
> (Hosted by our Asterisk PBX) just prior to PPTP connection. The call
> would trigger our Asterisk server to generate a single-use password
> suffix. The single-use password suffix would be sent to the user's
> known phone number ("something you have") via our SMS gateway, or via
> callback for voice delivery (to eliminate CALLID spoof vulnerability).
> Asterisk would then look up, and prepend the user's 'chosen' password to
> the single-use password ("something you know"), and then connect to
> pfSense to insert the PPTP user account, and schedule its subsequent
> removal.
>
> I may also require to have the user record something in their own voice
> to validate "Something you are". While not a true third factor, this
> would give a margin of security for detecting unauthaorized access attemps.
>
> Any CLI help would be appreciated!
There is no real way to pull this off from the CLI. The code needed to
add/remove PPTP users is tied to the GUI. Even if you can edit the
"live" password list, then it would not appear in the GUI for management
there.
Why not set PPTP to use a RADIUS server for authentication instead? You
could probably write some simple scripts to insert/delete account info
into a RADIUS database (probably just mysql if you're using something
like FreeRADIUS). Plus you could also have accounting data from login
sessions.
It could be done with the built-in database, but it wouldn't be a quick
and easy fix. (Read: It would probably cost some developer time, either
a bounty or some support hours if you are a commercial support customer)
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
