[Freeipa-users] How can I set up OTP for user authentication?
Alexander Bokovoy
abokovoy at redhat.com
Mon Apr 7 04:48:45 UTC 2014
On Sun, 06 Apr 2014, Nathan Broadbent wrote:
>Hello,
>
>I'm running FreeIPA version 3.3.4. I've done a little research, and it
>seems like this version is missing support for OTP, but I could have sworn
>that I found a page that said that OTP was finished and ready to use. And
>in the server installation logs, I found some references to 'ipa-otpd'.
OTP support is part of FreeIPA 4.0 release plan. What was released prior
to that represents different components of the solution but not the full solution
(yet). Full OTP functionality requires changes on both server and client
side. For example, password changes and token synchronization are two elements
which are tightly coupled client/server-side, though we have few more
specific examples.
>I also remember reading about an otp plugin for FreeIPA, but it doesn't
>seem to be installed on my server.
>
>Our case is that we want to require OTP codes for SSH authentication. Even
>for public key authentication, we would like to add a ForceCommand
>directive to ssh config that would require the OTP code. It would be
>awesome if that could be configured on a per-server basis in FreeIPA.
>
>Is OTP production ready? I found the 'Red Hat Test Day' page where people
>were testing OTP. If 3.3.4 doesn't support OTP, I'm happy to compile from
>source. Where can I find the source / branch with the most current OTP
>features? Will it be included in 4.0.0? Or should I checkout the 'otpui'
>[1] branch on GitHub?
OTP support is not yet production ready, at least not labeled so in any
released FreeIPA version, we plan it for 4.0.
Following URL gives you an overview of what is still needs to be
finished:
https://fedorahosted.org/freeipa/query?component=OTP&status=!closed
You can try experimenting with the COPR repo I've made for testing OTP
functionality:
http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/
It requires Fedora 20 with all updates (including updates-testing repo)
installed prior to use. We are also still tuning SELinux policy so for
some cases there might be an occasional AVC even with fully updated
system. These need to be reported to bugzilla.redhat.com.
At this moment Fedora 20 is the only platform one can target as an
experimental FreeIPA server with OTP functionality enabled.
>Very keen to start using the feature, and I'd be happy to help report and
>fix any bugs. But at the same time, I don't want to compromise our security
>if this feature hasn't been properly audited, so advice would be
>appreciated.
As I said, this feature is under development. Some bugs may still lurk
in the code but wider testing should help in clearing them up, so any
effort in testing is definitely welcome!
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list