Sounds like that's the better architecture.
The only downside is that setting up FreeRADIUS is another thing to do,
learn about, manage, patch etc. I was hoping for a quick/dirty YET ROBUST
solution using a script. The upside is of course that a 2-factor auth
system tied to RADIUS gives us some flexibility -- OpenVPN, IPSec etc.
Thanks for the tips!
-Karl
----- Original Message -----
From: "Jim Pingle" <[email protected]>
To: <[email protected]>
Sent: Friday, April 23, 2010 6:25 PM
Subject: Re: [pfSense Support] Add/Change PPTP user accounts from SSH
command line.
On 4/23/2010 7:10 PM, Karl Fife wrote:
I am trying to create a 2-factor authentication system for PPTP on
pfSense, and its feasibility depends upon being able to script the
addition/deletion/modification of PPTP user accounts. Can anyone tell
me what the command-line would be for adding user 'scott' identified by
the password 'tiger1234'? What would be the command for removing the
user 'scott'?
The bigger picture would be that a road-warrior (Instead of carrying an
RSA, SecurID or Yubikey) would simply call a special telephone number
(Hosted by our Asterisk PBX) just prior to PPTP connection. The call
would trigger our Asterisk server to generate a single-use password
suffix. The single-use password suffix would be sent to the user's
known phone number ("something you have") via our SMS gateway, or via
callback for voice delivery (to eliminate CALLID spoof vulnerability).
Asterisk would then look up, and prepend the user's 'chosen' password to
the single-use password ("something you know"), and then connect to
pfSense to insert the PPTP user account, and schedule its subsequent
removal.
I may also require to have the user record something in their own voice
to validate "Something you are". While not a true third factor, this
would give a margin of security for detecting unauthaorized access
attemps.
Any CLI help would be appreciated!
There is no real way to pull this off from the CLI. The code needed to
add/remove PPTP users is tied to the GUI. Even if you can edit the
"live" password list, then it would not appear in the GUI for management
there.
Why not set PPTP to use a RADIUS server for authentication instead? You
could probably write some simple scripts to insert/delete account info
into a RADIUS database (probably just mysql if you're using something
like FreeRADIUS). Plus you could also have accounting data from login
sessions.
It could be done with the built-in database, but it wouldn't be a quick
and easy fix. (Read: It would probably cost some developer time, either
a bounty or some support hours if you are a commercial support customer)
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
