Dear WingFTP-developer,
our ISO auditor requested following points:
1. MFA should work for all kind of protocols ssh, http(s), ftp(s)...
A MFA activated user have to insert his password+OTPcode instead only the password.
2. MFA should work with local users and with AD / LDAP User too, the workaround with local users for AD/LDAP Users via mapping
is acceptable for an handful of user but not for hundreds of users.
Kindly regards,
Michael
Suggestion: MFA for all kind of protocols and authenticationsources
-
- Posts: 10
- Joined: Thu May 19, 2016 10:11 am
-
- Site Admin
- Posts: 2090
- Joined: Tue Sep 29, 2009 6:09 am
Re: Suggestion: MFA for all kind of protocols and authenticationsources
FTP/SFTP is not fit for two-factor authentication, if you really want to handle 2FA with FTP/SFTP protocol, you may add the following Lua script into the event "Domain > Event Manager > FTP/SSH Events > BeforeUserLoggedIn":
The password for the login attempt should be "Password:OTPcode", like "xxyyzz:123456".
Code: Select all
local domain = "%Domain"
local user = c_GetUser("%Domain", "%Name")
local checked = false
if user ~= nil then
local temppass = "%Password"
local hashpass = ""
local arraypass = ""
if user.enable_two_factor == true then
arraypass = Split(temppass, ":")
temppass = arraypass[1]
end
if c_GetOptionInt(domain, DOPTION_ENABLE_PASS_SALTING) == 1 then
local salt_string = c_GetOptionStr(domain, DOPTION_SALTING_STRING)
temppass = temppass..salt_string
end
if c_GetOptionInt(domain, DOPTION_ENABLE_SHA256) == 1 then
hashpass = sha2(temppass)
else
hashpass = md5(temppass)
end
if user.password == hashpass then
checked = true
if user.enable_two_factor == true then
if c_TotpCode(user.two_factor_code) ~= arraypass[2] then
checked = false
end
end
end
end
if checked == true then
bSelfAuthenticated = true
else
bCancelEvent = true
end
The password for the login attempt should be "Password:OTPcode", like "xxyyzz:123456".