<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/12/2013 07:17 PM, Dale Macartney wrote:<br>
<span style="white-space: pre;">><br>
> Evening all<br>
><br>
> So, basis of my testing environment is as follows<br>
><br>
> RHEL 6 running IPA 2.2 or 3.0 (Will be looking to test on
both versions)<br>
> RHEL 6 and Fedora 18 workstations connected as ipa clients to
IPA domain.<br>
><br>
> I am using this article in place with my testing environment.<br>
>
<a class="moz-txt-link-freetext" href="https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/">https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/</a><br>
><br>
> What I would like to achieve is:<br>
><br>
> Scenario 1:<br>
> - From IPA client workstation<br>
> remote SSH session authenticates using current TGT from
workstation<br>
> session. No password or yubikey prompt. This should be
completely SSO.<br>
><br>
> Scenario 2:<br>
> - From Non-IPA client workstation<br>
> remote SSH session authenticates via password AND yubikey
prompt as no<br>
> TGT is available.<br>
><br>
><br>
> What I don't know how to achieve is Scenario 2.<br>
><br>
> Is this possible? I'm processing it in my mind of pam having
a<br>
> conditional required option, but I don't know of a way to
make it happen.<br>
></span><br>
<br>
From my past experience it was possible if the pam modules you want
to stack support the right PAM flags and conditions. I do not
remember the details, it was quite some time ago but I know that
something like this can be accomplished if pam_yubikey (I assume
something like this exists) and pam_sss are stacked in the right
way.<br>
<br>
<span style="white-space: pre;">> Thanks all<br>
><br>
> Dale<br>
><br>
><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span><br>
<br>
-- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager for IdM portfolio<br>
Red Hat Inc.<br>
<br>
<br>
-------------------------------<br>
Looking to carve out IT costs?<br>
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
<br>
<br>
<br>
</body>
</html>