Closed mike-k0 closed 2 years ago
drakkan
commented
2 years ago If you mean keyboard interactive auth, please take a look here.
The built-in MFA is generic and supports any standard phone app without requiring specific integration, why would you prefer to use the old way with a custom hook?
mike-k0
commented
2 years ago I'm moreso curious about the options available.
There are some libraries already which implement RFC 6238, so I could just use those to generate a shared secret for TOTP's and use that particular library's code to verify TOTP codes inside of the hook when it is executed.
ElPistoler0
commented
2 years ago Hi guys,
I have enabled MFA on my server, and it works great on the web client. However I cannot make it apply for sFTP connections... Here's my config:
"sftpd": { "bindings": [ { "port": 666, "address": "", "apply_proxy_config": true } ], "max_auth_tries": 5, "banner": "Welcome to my sFTP server. Log in and lose a hand.", "host_keys": [], "kex_algorithms": [], "ciphers": [], "macs": [], "trusted_user_ca_keys": [], "login_banner_file": "", "enabled_ssh_commands": [ "md5sum", "sha1sum", "cd", "pwd", "scp" ], "keyboard_interactive_authentication": true, "keyboard_interactive_auth_hook": "", "password_authentication": true, "folder_prefix": "" },
What am I missing?
Thanks!
F.
drakkan
commented
2 years ago Hi guys,
I have enabled MFA on my server, and it works great on the web client. However I cannot make it apply for sFTP connections... Here's my config:
"sftpd": { "bindings": [ { "port": 666, "address": "", "apply_proxy_config": true } ], "max_auth_tries": 5, "banner": "Welcome to my sFTP server. Log in and lose a hand.", "host_keys": [], "kex_algorithms": [], "ciphers": [], "macs": [], "trusted_user_ca_keys": [], "login_banner_file": "", "enabled_ssh_commands": [ "md5sum", "sha1sum", "cd", "pwd", "scp" ], "keyboard_interactive_authentication": true, "keyboard_interactive_auth_hook": "", "password_authentication": true, "folder_prefix": "" },What am I missing?Thanks!
F.
Your client need to use the keyboard interactive authentication. You can disable password_authentication globally so only public key and keyboard interactive auth are available or you can disable some auth methods on a per-user basis to force keyboard interactive authentication usage
Is there any specific guidance for MFA implementation with TOTP's for example?
I believe I see an
mfalist of structs in the configuration.If instead we wanted to use external authentication hooks for example, could we theoretically implement our own validation flow for TOTP's and check them in the password prompt, for example? Or is there a more recommended way?