[Freeipa-users] Using Native OTP for auth from specific hosts

[Alexander Bokovoy]

On Mon, 11 Aug 2014, Michael Lasevich wrote:
>Ok, I am trying to figure out how to use native OTP capabilities in
>FreeIPA4 to authenticate users but I am not finding enough docs on how to
>USE OTP.
>
>Specifically I would like to force OTP authentication on specific servers
>while allowing password auth in other cases. As I understand
>authentication, you can either select OTP or password or both
>authentications, but if you select both, the user can use password instead
>of otp from ANY server.
That is correct.

>Is there any way to block password auth based on source (HBAC rules?) So
>far the only way I can figure out is to create a second account, which is
>less than optimal.
No, this functionality is not supported. One particular issue is that
we'll need to authenticate before applying HBAC rules, not after, so
some other means to validate the request chain are needed.

Additionally, Kerberos authentication requires to enter your credentials
only when obtaining a ticket granting ticket (TGT) which happens before
a client will ask for a ticket to a specific service. Also, renewing the
ticket might be possible without original credentials. Perhaps we could
add a flag into TGT that would tell how strong were credentials (how
many factors were in use) when TGT was obtained and then use it in a
policy to see if a ticket to the target service principal could be
granted.

It worth to file an RFE, anyway.

-- 
/ Alexander Bokovoy