Suggestion: MFA for all kind of protocols and authenticationsources

Post here if you have some suggestions or you want to request a new feature.
Post Reply
axnav
Posts: 10
Joined: Thu May 19, 2016 10:11 am

Suggestion: MFA for all kind of protocols and authenticationsources

Post by axnav »

Dear WingFTP-developer,
our ISO auditor requested following points:

1. MFA should work for all kind of protocols ssh, http(s), ftp(s)...
A MFA activated user have to insert his password+OTPcode instead only the password.

2. MFA should work with local users and with AD / LDAP User too, the workaround with local users for AD/LDAP Users via mapping
is acceptable for an handful of user but not for hundreds of users.

Kindly regards,
Michael
FTP
Site Admin
Posts: 2065
Joined: Tue Sep 29, 2009 6:09 am

Re: Suggestion: MFA for all kind of protocols and authenticationsources

Post by FTP »

FTP/SFTP is not fit for two-factor authentication, if you really want to handle 2FA with FTP/SFTP protocol, you may add the following Lua script into the event "Domain > Event Manager > FTP/SSH Events > BeforeUserLoggedIn":

Code: Select all

local domain = "%Domain"
local user = c_GetUser("%Domain", "%Name")
local checked = false

if user ~= nil then
  local temppass = "%Password"
  local hashpass = ""
  local arraypass = ""

  if user.enable_two_factor == true then
    arraypass = Split(temppass, ":")
    temppass = arraypass[1]
  end

  if c_GetOptionInt(domain, DOPTION_ENABLE_PASS_SALTING) == 1 then
    local salt_string = c_GetOptionStr(domain, DOPTION_SALTING_STRING)
    temppass = temppass..salt_string
  end

  if c_GetOptionInt(domain, DOPTION_ENABLE_SHA256) == 1 then
    hashpass = sha2(temppass)
  else
    hashpass = md5(temppass)
  end

  if user.password == hashpass then
    checked = true
    if user.enable_two_factor == true then
      if c_TotpCode(user.two_factor_code) ~= arraypass[2] then
        checked = false
      end
    end
  end
end


if checked == true then
  bSelfAuthenticated  = true
else
  bCancelEvent = true
end

The password for the login attempt should be "Password:OTPcode", like "xxyyzz:123456".
Post Reply