linux-ppp.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Michael McConnell <mike@matrixnetwork.co.uk>
To: linux-ppp@vger.kernel.org
Subject: [PATCH] Multi-factor authentication plugin hook
Date: Fri, 28 Jan 2022 11:05:23 +0000	[thread overview]
Message-ID: <34c707f1-1200-c17b-436e-f820617d6a6e@matrixnetwork.co.uk> (raw)

Hi,

This patch introduces a plugin for MFA support for PPP servers.

This initial version has only been tested for CHAP logins, as that is
what we are using at work thus what I can test.  It is in production use
on our L2TP VPN server with a plugin that calls out to Duo.  It will
likely require expanding to cover all client-to-server authentication
paths.

The idea here is simple, for a MFA platform that just requires the
username being authenticated, this allows a plugin that will go off and
do this. Unlike the existing authentication hooks, this is enabled for
server-side use.

It won't work with those MFAs that require a one-time password to be 
entered in addition to the regular password, but does work for those 
that push an authentication request to an app on a mobile phone.

I am sharing this in the off-chance that it might be useful to somebody.

Michael McConnell
Fri 28 Jan 2022

diff -urN ppp-2.4.9.orig/pppd/auth.c ppp-2.4.9/pppd/auth.c
--- ppp-2.4.9.orig/pppd/auth.c  2021-01-04 23:06:37.000000000 +0000
+++ ppp-2.4.9/pppd/auth.c       2022-01-28 10:47:21.190270504 +0000
@@ -202,6 +202,9 @@

  int (*allowed_address_hook)(u_int32_t addr) = NULL;

+/* Hook for a plugin to perform MFA given the user/client name */
+int (*auth_mfa_hook) __P((char *mfauser)) = NULL;
+
  #ifdef HAVE_MULTILINK
  /* Hook for plugin to hear when an interface joins a multilink bundle */
  void (*multilink_join_hook)(void) = NULL;
@@ -1454,6 +1457,10 @@
      slprintf(user, sizeof(user), "%.*v", userlen, auser);
      *msg = "";

+    /* Try MFA, if the plugin returns nonzero we fail to authenticate */
+    if (auth_mfa_hook)
+      if ( (*auth_mfa_hook)(user) ) return UPAP_AUTHNAK;
+
      /*
       * Check if a plugin wants to handle this.
       */
@@ -1812,6 +1819,10 @@
             free_wordlist(addrs);
      }

+    /* Try MFA, if the plugin returns nonzero we fail to authenticate */
+    if (auth_mfa_hook)
+      if ( (*auth_mfa_hook)(client) ) return 0;
+
      len = strlen(secbuf);
      if (len > MAXSECRETLEN) {
         error("Secret for %s on %s is too long", client, server);
diff -urN ppp-2.4.9.orig/pppd/pppd.h ppp-2.4.9/pppd/pppd.h
--- ppp-2.4.9.orig/pppd/pppd.h  2021-01-04 23:06:37.000000000 +0000
+++ ppp-2.4.9/pppd/pppd.h       2022-01-28 10:47:21.192289610 +0000
@@ -767,6 +767,9 @@
  extern int (*eaptls_passwd_hook)(char *user, char *passwd);
  #endif

+/* Hook for a plugin to perform MFA given the user/client name */
+extern int (*auth_mfa_hook) __P((char *mfauser));
+
  /* Let a plugin snoop sent and received packets.  Useful for L2TP */
  extern void (*snoop_recv_hook)(unsigned char *p, int len);
  extern void (*snoop_send_hook)(unsigned char *p, int len);

                 reply	other threads:[~2022-01-28 11:13 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=34c707f1-1200-c17b-436e-f820617d6a6e@matrixnetwork.co.uk \
    --to=mike@matrixnetwork.co.uk \
    --cc=linux-ppp@vger.kernel.org \
    --subject='Re: [PATCH] Multi-factor authentication plugin hook' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).