Pfsense admin web interface two factor authentication
-
So anyone want to pool in some cash to get HMAC-Based One-time Password (HOTP) & Time-based One-time Password (TOTP)?
The idea would be to have it display a qr code for Google authentication client provisioning or any of the open source smart phone one time password (OTP) applications. It would require you to print the seed to the screen with some basic directions on how to configure / provision the smartphone client software. You could also use a yubikey hardware token as well. It would be nice to have two factor authentication for the admin web interface.
Apache module:
http://code.google.com/p/mod-authn-otp/Software tokens:
http://code.google.com/p/google-authenticator/
http://code.google.com/p/oathtoken/
http://motp.sourceforge.net/
http://code.google.com/p/androidtoken/ -
There are a number of OTP solutions that can use LDAP, which works. Aside from that, no other options currently.
-
Yeah I figured one could use OTP with LDAP or RADIUS. I'm wanting OTP to be configurable via the web interface with out LDAP or Radius.
-
An OTP implementation is a major deal in and of itself, there's a reason you won't find any firewall or router with one built in, that's best handled on its own.
-
It looks like you could use ga4php as one option or use phone factor's php SDK for there service. Duosecurity also offers free 2 factor auth as a service. Duo looks the most interesting because they provide OTP options for php, Unix (SSH or login in general) and OpenVPN. All I'm asking for are hooks to get this going via local RADIUS server via the web interface and or use with command line auth and VPN auth.
http://www.phonefactor.com/downloads
http://code.google.com/p/ga4php/
http://www.duosecurity.com/
https://github.com/duosecurity/duo_php -
I actually compiled google-auth and was able to successfully install it on pfsense 2.0. I can configure sshd to use it, and when I restart the ssh daemon, it works perfectly. The Question I have is, now that I have configured the same for the pam.d/system, what daemon should I be restarting to get the change picked up by the webgui? I do not want to restart the hardware to accomplish this.
-
Well, I ended up rebooting the box anyway (after hours), and it doesn't seem to have worked. Normal logins still don't accept the google auth, but if I set it up for ssh google auth works fine. Does anyone have any ideas on what I might be missing?
I really would just like the webgui login to work with google auth.
-
To A your Q mmiller, what kinda of money are we talking? I would definitely be keen to chuck in for this.
I'm a huge OpenVPN user and adding 2 factor would pretty much make my f_cking day!!! -
I'm a huge OpenVPN user and adding 2 factor would pretty much make my f_cking day!!!
You can already do this with OpenVPN and basically every two-factor auth solution in existence, either via RADIUS or LDAP.