Page 1 of 1

Suggestion: MFA for all kind of protocols and authenticationsources

Posted: Wed Dec 20, 2023 11:33 am
by axnav
Dear WingFTP-developer,
our ISO auditor requested following points:

1. MFA should work for all kind of protocols ssh, http(s), ftp(s)...
A MFA activated user have to insert his password+OTPcode instead only the password.

2. MFA should work with local users and with AD / LDAP User too, the workaround with local users for AD/LDAP Users via mapping
is acceptable for an handful of user but not for hundreds of users.

Kindly regards,

Re: Suggestion: MFA for all kind of protocols and authenticationsources

Posted: Thu Dec 21, 2023 5:13 am
by FTP
FTP/SFTP is not fit for two-factor authentication, if you really want to handle 2FA with FTP/SFTP protocol, you may add the following Lua script into the event "Domain > Event Manager > FTP/SSH Events > BeforeUserLoggedIn":

Code: Select all

local domain = "%Domain"
local user = c_GetUser("%Domain", "%Name")
local checked = false

if user ~= nil then
  local temppass = "%Password"
  local hashpass = ""
  local arraypass = ""

  if user.enable_two_factor == true then
    arraypass = Split(temppass, ":")
    temppass = arraypass[1]

  if c_GetOptionInt(domain, DOPTION_ENABLE_PASS_SALTING) == 1 then
    local salt_string = c_GetOptionStr(domain, DOPTION_SALTING_STRING)
    temppass = temppass..salt_string

  if c_GetOptionInt(domain, DOPTION_ENABLE_SHA256) == 1 then
    hashpass = sha2(temppass)
    hashpass = md5(temppass)

  if user.password == hashpass then
    checked = true
    if user.enable_two_factor == true then
      if c_TotpCode(user.two_factor_code) ~= arraypass[2] then
        checked = false

if checked == true then
  bSelfAuthenticated  = true
  bCancelEvent = true

The password for the login attempt should be "Password:OTPcode", like "xxyyzz:123456".