[Freeipa-users] FreeIPA + Yubikey conditional login process

[Dale Macartney]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Evening all

So, basis of my testing environment is as follows

RHEL 6 running IPA 2.2 or 3.0 (Will be looking to test on both versions)
RHEL 6 and Fedora 18 workstations connected as ipa clients to IPA domain.

I am using this article in place with my testing environment.
https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/

What I would like to achieve is:

Scenario 1:
- From IPA client workstation
remote SSH session authenticates using current TGT from workstation
session. No password or yubikey prompt. This should be completely SSO.

Scenario 2:
- From Non-IPA client workstation
remote SSH session authenticates via password AND yubikey prompt as no
TGT is available.


What I don't know how to achieve is Scenario 2.

Is this possible? I'm processing it in my mind of pam having a
conditional required option, but I don't know of a way to make it happen.

Thanks all

Dale


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ8f0sAAoJEAJsWS61tB+qxLkQAL/mb1gIUpAocHwZBLoM6T0q
bsuDnaMMr80J96q5loPLHyMBDf32VphE9oqVjzh81MIm0Xl2OBrO2egVyvtGFlo9
W71Vy1eoGZzPnrrhnQP3bBWrBXWk0Kbld99boZBv6v9QX/gS9AX3U4WyBrqGCy/7
3ia8agNAmZI+8ZNmELk2/ObvkvFwrcQlj+L4I8EmwwwiZSTsSVm9xKVd/1mcvj1f
h87nnrmxHpOFjZ74YnA71AOWMzie8w3Yuodnpr90vngFCMxfGfVTeU90HQheItAV
/Ls8bR7Ks3aTr+XwEkVl3b4c1gFEu9SIMOGXtQidl/FVx7cMHGLsBzaVZ9jTCw6K
RS0dUuX8nOVBwYWxFYTwjaI0Ypv54xmZvplynlp7f4jsj3WzWC2GZmdBFYk4iQju
XLuJWXCgOkDdgDIkMEdu1Pv6f8VX7EkKFUp3amlibgSKfNdDQ2KMdT85beRcab4N
2on6lL6QzEB7AjZ0qIF/p+LGOItP0evl+tpWhcgXXICGWb1OBAp/MwjpO16Yyp8K
AA8/vJT2/aUsxImzOmAdG19RzmdZQlN6+l8tLJAmh2UzKpaRc8Lm6klMUnsI1T5Q
Hge5t+Tn+zqeUb8It5xExJnkhCzQGNaNZvEAPskO2y0p5qUabBENF133e7HR9Pub
2BqtI2Je1Mg1PmPxSwI+
=+lqh
-----END PGP SIGNATURE-----