search

privacyidea / privacyidea-credential-provider

Credential Provider to enchance the Windows login with a second factor
Apache License 2.0
46 stars 21 forks source link

Feature request: Exclusion list for certain IP addresses #170

Open gesture1968 opened 1 month ago

gesture1968 commented 1 month ago

I would like to request a feature in the Windows credential provider client. Although I could try to append the code myself, I'm unable to compile the source code on VS2022 due to Linker errors. The request is to have a registry setting containing a list of IP blocks that are excluded from two-factor authentication. I'm using the client on a number of PC's in my network, and they are accessible from the internet via RDP. I want them to use two-factor authentication, but only from the internet and not when I'm connecting to the PC's via my local network. If the client could check for the list of excluded P addresses, it could skip the two-factor for my internal IP addresses.

Regards, Ge.

nilsbehlen commented 1 month ago

Hi, we have had this idea ourself or as request now multiple times. The problem i found is that there is no reliable way to get the client IP in RDP scenarios. We would need to use interal windows APIs which can break at any time in the future with any update, and even then it seems to work only for RD Gateways.

Have you done any research on that yet if you were to append the code yourself?

gesture1968 commented 1 month ago

Hello Nils,

Thank you for the quick response. I did not yet do any research as I presumed that I might be able to use the APIs that you describe. I can see that this might be a problem either now or in the future. Perhaps checking the eventviewer for an eventid 25 in the TerminalServices-LocalSessionManager/Operational could be a solution? I found that when an RDP session is successfully authenticated by its user/password combination and before the two-factor authentication is validated the IP address is logged in eventid 25. One might assume that the Windows code used for reading from the eventviewer is not changed in the near future.

Regards, Ge.

From: Nils Behlen @.> Sent: Monday, July 22, 2024 10:36 To: privacyidea/privacyidea-credential-provider @.> Cc: gesture1968 @.>; Author @.> Subject: Re: [privacyidea/privacyidea-credential-provider] Feature request: Exclusion list for certain IP addresses (Issue #170)

Hi, we have had this idea ourself or as request now multiple times. The problem i found is that there is no reliable way to get the client IP in RDP scenarios. We would need to use interal windows APIs which can break at any time in the future with any update, and even then it seems to work only for RD Gateways.

Have you done any research on that yet if you were to append the code yourself?

— Reply to this email directly, view it on GitHubhttps://github.com/privacyidea/privacyidea-credential-provider/issues/170#issuecomment-2242397012, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACN6UVIFS3GSUNWS6VURYZDZNS77DAVCNFSM6AAAAABLH2HAPOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBSGM4TOMBRGI. You are receiving this because you authored the thread.

nilsbehlen commented 1 month ago

I have only expored the "direct" way via win32 api, which is not really viable, so maybe an indirect way might work better. I will check what you said when i have some time. Another option would be to check for the IP of the connection on port 3389.