[Freeipa-users] Host based 2FA ?
Dmitri Pal
dpal at redhat.com
Thu Dec 11 23:30:06 UTC 2014
On 12/11/2014 06:32 PM, freeipa at pettyvices.com wrote:
>
> I'd like to be able to require 2FA on *certain* hosts and allow just
> passwords on others.
>
> It seems you can check both "passwords" and "2FA" under the user.
>
> I was hoping I could create a HBAC such that certain hosts would only
> allow 2FA, but I can't see an obvious way to do that.
>
> Is it possible? Help on how would be great. If not, feature request?
>
> thanks,
>
> -t
>
We have several tickets:
https://fedorahosted.org/freeipa/ticket/433
https://fedorahosted.org/freeipa/ticket/3659
https://fedorahosted.org/freeipa/ticket/4498
If you see https://fedorahosted.org/freeipa/ticket/4498#comment:6 we
discussed this use case.
And I was about to fork it as said but then I realized that there is not
good way on the KDC to determine the host you are coming from.
So IMO it should be a policy decision on SSSD.
There are two options:
- short term solution: allow SSSD to have a local overwrite to require
OTP if server offers different options.
- longer term solution: actually have a per host policy that is
centrally managed that is fetched per host and enforced by SSSD.
Before filing tickets I would like to hear opinions on the matter.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141211/5db0bcdc/attachment.htm>
More information about the Freeipa-users
mailing list