[Freeipa-users] Using Native OTP for auth from specific hosts
Dmitri Pal
dpal at redhat.com
Mon Aug 11 20:15:49 UTC 2014
On 08/11/2014 08:49 PM, Alexander Bokovoy wrote:
> On Mon, 11 Aug 2014, Michael Lasevich wrote:
>> Ok, I am trying to figure out how to use native OTP capabilities in
>> FreeIPA4 to authenticate users but I am not finding enough docs on
>> how to
>> USE OTP.
>>
>> Specifically I would like to force OTP authentication on specific
>> servers
>> while allowing password auth in other cases. As I understand
>> authentication, you can either select OTP or password or both
>> authentications, but if you select both, the user can use password
>> instead
>> of otp from ANY server.
> That is correct.
>
>> Is there any way to block password auth based on source (HBAC rules?) So
>> far the only way I can figure out is to create a second account,
>> which is
>> less than optimal.
> No, this functionality is not supported. One particular issue is that
> we'll need to authenticate before applying HBAC rules, not after, so
> some other means to validate the request chain are needed.
>
> Additionally, Kerberos authentication requires to enter your credentials
> only when obtaining a ticket granting ticket (TGT) which happens before
> a client will ask for a ticket to a specific service. Also, renewing the
> ticket might be possible without original credentials. Perhaps we could
> add a flag into TGT that would tell how strong were credentials (how
> many factors were in use) when TGT was obtained and then use it in a
> policy to see if a ticket to the target service principal could be
> granted.
>
> It worth to file an RFE, anyway.
>
We already have these RFEs and they are in plans.
They have not been implemented because it required a lot of the upstream
Kerberos standards work.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list