Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense admin web interface two factor authentication

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 4 Posters 9.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mmiller
      last edited by

      So anyone want to pool in some cash to get HMAC-Based One-time Password (HOTP) & Time-based One-time Password (TOTP)?

      The idea would be to have it display a qr code for Google authentication client provisioning or any of the open source smart phone one time password (OTP) applications.  It would require you to print the seed to the screen with some basic directions on how to configure / provision the smartphone client software.  You could also use a yubikey hardware token as well.  It would be nice to have two factor authentication for the admin web interface.

      Apache module:
      http://code.google.com/p/mod-authn-otp/

      Software tokens:
      http://code.google.com/p/google-authenticator/
      http://code.google.com/p/oathtoken/
      http://motp.sourceforge.net/
      http://code.google.com/p/androidtoken/

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        There are a number of OTP solutions that can use LDAP, which works. Aside from that, no other options currently.

        1 Reply Last reply Reply Quote 0
        • M
          mmiller
          last edited by

          Yeah I figured one could use OTP with LDAP or RADIUS.  I'm wanting OTP to be configurable via the web interface with out LDAP or Radius.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            An OTP implementation is a major deal in and of itself, there's a reason you won't find any firewall or router with one built in, that's best handled on its own.

            1 Reply Last reply Reply Quote 0
            • M
              mmiller
              last edited by

              It looks like you could use ga4php as one option or use phone factor's php SDK for there service. Duosecurity also offers free 2 factor auth as a service.  Duo looks the most interesting because they provide OTP options for php, Unix (SSH or login in general) and OpenVPN.  All I'm asking for are hooks to get this going via local RADIUS server via the web interface and or use with command line auth and VPN auth.

              http://www.phonefactor.com/downloads
              http://code.google.com/p/ga4php/
              http://www.duosecurity.com/
              https://github.com/duosecurity/duo_php

              1 Reply Last reply Reply Quote 0
              • C
                caurelio
                last edited by

                I actually compiled google-auth and was able to successfully install it on pfsense 2.0. I can configure sshd to use it, and when I restart the ssh daemon, it works perfectly. The Question I have is, now that I have configured the same for the pam.d/system, what daemon should I be restarting to get the change picked up by the webgui? I do not want to restart the hardware to accomplish this.

                1 Reply Last reply Reply Quote 0
                • C
                  caurelio
                  last edited by

                  Well, I ended up rebooting the box anyway (after hours), and it doesn't seem to have worked. Normal logins still don't accept the google auth, but if I set it up for ssh google auth works fine. Does anyone have any ideas on what I might be missing?

                  I really would just like the webgui login to work with google auth.

                  1 Reply Last reply Reply Quote 0
                  • R
                    rikar
                    last edited by

                    To A your Q mmiller, what kinda of money are we talking? I would definitely be keen to chuck in for this.
                    I'm a huge OpenVPN user and adding 2 factor would pretty much make my f_cking day!!!

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      @rikar:

                      I'm a huge OpenVPN user and adding 2 factor would pretty much make my f_cking day!!!

                      You can already do this with OpenVPN and basically every two-factor auth solution in existence, either via RADIUS or LDAP.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.