[Freeipa-users] OTP authentication without Password
Jochen Hein
jochen at jochen.org
Wed Aug 31 05:14:27 UTC 2016
"Master P." <junkmafia89 at gmail.com> writes:
> Is it possible to authenticate a user with only OTP and ssh-pubkeys?
Yes, but you need some tool managing OTP without password/PIN, which
FreeIPA doesn't seem to support. I use privacyidea to manage my OTP
tokens and have a working configuration.
> So far I have successfully configured FreeIPA to use Two factor
> authentication (password + OTP). I had to change the sshd_config to
> achieve this by modifying the AuthenticationMethods to be:
>
> AuthenticationMethods publickey,password:pam
> publickey,keyboard-interactive-pam
I do use:
Match Group otpusers
AuthenticationMethods publickey,keyboard-interactive:pam gssapi-with-mic
When authenticating with ssh key, also require PAM. Having a kerberos
ticket grants access.
My PAM configuration is:
# If the user is in group otpusers, we use the next rule, otherwise we skip
# the call to pam_yubico.
auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup otpusers
auth sufficient pam_yubico.so id=<clientid> key=<key> urllist=https://privacyidea.jochen.org/ttype/yubikey authfile=/etc/yubikeys/authorized_yubikeys
I use Yubikeys in mode YUBICO, but my own privacyidea authentication
server. It should be also possible to use privacyidea as a backend
behind a RADIUS server for FreeIPA (I do use it for OpenVPN, but not
FreeIPA).
If find it more flexible to hand off OTP to a special tool like
privacyidea oder linotp - a token on FreeIPA, Kolab, or another
application is only a single purpose token.
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
More information about the Freeipa-users
mailing list