[Freeipa-users] Using Native OTP for auth from specific hosts
Michael Lasevich
mlasevich at gmail.com
Mon Aug 11 19:17:25 UTC 2014
Thanks for quick response, further questions inline.
On Mon, Aug 11, 2014 at 11:49 AM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Mon, 11 Aug 2014, Michael Lasevich wrote:
>
>> Ok, I am trying to figure out how to use native OTP capabilities in
>> FreeIPA4 to authenticate users but I am not finding enough docs on how to
>> USE OTP.
>>
>> Specifically I would like to force OTP authentication on specific servers
>> while allowing password auth in other cases. As I understand
>> authentication, you can either select OTP or password or both
>> authentications, but if you select both, the user can use password instead
>> of otp from ANY server.
>>
> That is correct.
>
>
So, it is NOT intended to use for border-style 2FA authentication (i.e.
VPN) - which seems may be a common use case for 2FA?
>
> Is there any way to block password auth based on source (HBAC rules?) So
>> far the only way I can figure out is to create a second account, which is
>> less than optimal.
>>
> No, this functionality is not supported. One particular issue is that
> we'll need to authenticate before applying HBAC rules, not after, so
> some other means to validate the request chain are needed.
>
> Additionally, Kerberos authentication requires to enter your credentials
> only when obtaining a ticket granting ticket (TGT) which happens before
> a client will ask for a ticket to a specific service. Also, renewing the
> ticket might be possible without original credentials. Perhaps we could
> add a flag into TGT that would tell how strong were credentials (how
> many factors were in use) when TGT was obtained and then use it in a
> policy to see if a ticket to the target service principal could be
> granted.
>
>
I think I understand - HBAC has no way to know how you authenticated - so
you cannot make rules based on that?
Is there a way to test OTP token auth while bypassing kerberos? For
example, you can validate user's password via a LDAP login, - can you do a
similar validation of OTP token directly?
Thanks,
-M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140811/d49e25de/attachment.htm>
More information about the Freeipa-users
mailing list