[Freeipa-users] Using Native OTP for auth from specific hosts
Alexander Bokovoy
abokovoy at redhat.com
Mon Aug 11 20:04:15 UTC 2014
On Mon, 11 Aug 2014, Michael Lasevich wrote:
>On Mon, Aug 11, 2014 at 12:30 PM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On Mon, 11 Aug 2014, Michael Lasevich wrote:
>>
>>> So, it is NOT intended to use for border-style 2FA authentication (i.e.
>>> VPN) - which seems may be a common use case for 2FA?
>>>
>> You can always supplement authentication check with some host-specific
>> information at the VPN concentrator. We don't have ready to use solution
>> here but it is definitely possible to use such scheme against FreeIPA
>> 2FA.
>>
>>
>Sorry, I am not following. What do you mean by "host-specific
>information"? If system has no way to detect how many factors were involved
>in authentication, how would I be able to guarantee that only 2FA is
>allowed via this box?
>
>I suppose this can work: I can write code that will:
>
>1 - detects if there are OTP numbers at the end of the password
>2 - authenticates using full 2FA
>3 - authenticates using just password without 2FA
>
>And then authenticate only if all 3 conditions are satisfied. Seems a bit
>hacky, but that is the only way I can think that may work.
2 and 3 are the same from IPA point of view, just an LDAP bind.
Ideally SSSD could handle this as part of a PAM stack by providing PAM
feedback that could be used by other modules. There was no request for
this functionality before.
However, I was mostly thinking that you may have an authentication
sequence where past successful auth you would check tokens associated
with the user to see if there is a recent update within the same time
period on one of tokens. This would work right now, though it is a bit a
hack -- a better one than the 2-accounts-per-user.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list