From: Michael McConnell <mike@matrixnetwork.co.uk>
To: linux-ppp@vger.kernel.org
Subject: [PATCH] Multi-factor authentication plugin hook
Date: Fri, 28 Jan 2022 11:05:23 +0000 [thread overview]
Message-ID: <34c707f1-1200-c17b-436e-f820617d6a6e@matrixnetwork.co.uk> (raw)
Hi,
This patch introduces a plugin for MFA support for PPP servers.
This initial version has only been tested for CHAP logins, as that is
what we are using at work thus what I can test. It is in production use
on our L2TP VPN server with a plugin that calls out to Duo. It will
likely require expanding to cover all client-to-server authentication
paths.
The idea here is simple, for a MFA platform that just requires the
username being authenticated, this allows a plugin that will go off and
do this. Unlike the existing authentication hooks, this is enabled for
server-side use.
It won't work with those MFAs that require a one-time password to be
entered in addition to the regular password, but does work for those
that push an authentication request to an app on a mobile phone.
I am sharing this in the off-chance that it might be useful to somebody.
Michael McConnell
Fri 28 Jan 2022
diff -urN ppp-2.4.9.orig/pppd/auth.c ppp-2.4.9/pppd/auth.c
--- ppp-2.4.9.orig/pppd/auth.c 2021-01-04 23:06:37.000000000 +0000
+++ ppp-2.4.9/pppd/auth.c 2022-01-28 10:47:21.190270504 +0000
@@ -202,6 +202,9 @@
int (*allowed_address_hook)(u_int32_t addr) = NULL;
+/* Hook for a plugin to perform MFA given the user/client name */
+int (*auth_mfa_hook) __P((char *mfauser)) = NULL;
+
#ifdef HAVE_MULTILINK
/* Hook for plugin to hear when an interface joins a multilink bundle */
void (*multilink_join_hook)(void) = NULL;
@@ -1454,6 +1457,10 @@
slprintf(user, sizeof(user), "%.*v", userlen, auser);
*msg = "";
+ /* Try MFA, if the plugin returns nonzero we fail to authenticate */
+ if (auth_mfa_hook)
+ if ( (*auth_mfa_hook)(user) ) return UPAP_AUTHNAK;
+
/*
* Check if a plugin wants to handle this.
*/
@@ -1812,6 +1819,10 @@
free_wordlist(addrs);
}
+ /* Try MFA, if the plugin returns nonzero we fail to authenticate */
+ if (auth_mfa_hook)
+ if ( (*auth_mfa_hook)(client) ) return 0;
+
len = strlen(secbuf);
if (len > MAXSECRETLEN) {
error("Secret for %s on %s is too long", client, server);
diff -urN ppp-2.4.9.orig/pppd/pppd.h ppp-2.4.9/pppd/pppd.h
--- ppp-2.4.9.orig/pppd/pppd.h 2021-01-04 23:06:37.000000000 +0000
+++ ppp-2.4.9/pppd/pppd.h 2022-01-28 10:47:21.192289610 +0000
@@ -767,6 +767,9 @@
extern int (*eaptls_passwd_hook)(char *user, char *passwd);
#endif
+/* Hook for a plugin to perform MFA given the user/client name */
+extern int (*auth_mfa_hook) __P((char *mfauser));
+
/* Let a plugin snoop sent and received packets. Useful for L2TP */
extern void (*snoop_recv_hook)(unsigned char *p, int len);
extern void (*snoop_send_hook)(unsigned char *p, int len);
reply other threads:[~2022-01-28 11:13 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=34c707f1-1200-c17b-436e-f820617d6a6e@matrixnetwork.co.uk \
--to=mike@matrixnetwork.co.uk \
--cc=linux-ppp@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).