[Freeipa-users] Host based 2FA ?
Simo Sorce
simo at redhat.com
Fri Dec 12 18:07:56 UTC 2014
On Thu, 11 Dec 2014 18:30:06 -0500
Dmitri Pal <dpal at redhat.com> wrote:
> On 12/11/2014 06:32 PM, freeipa at pettyvices.com wrote:
> >
> > I'd like to be able to require 2FA on *certain* hosts and allow
> > just passwords on others.
> >
> > It seems you can check both "passwords" and "2FA" under the user.
> >
> > I was hoping I could create a HBAC such that certain hosts would
> > only allow 2FA, but I can't see an obvious way to do that.
> >
> > Is it possible? Help on how would be great. If not, feature
> > request?
> >
> > thanks,
> >
> > -t
> >
> We have several tickets:
>
> https://fedorahosted.org/freeipa/ticket/433
>
> https://fedorahosted.org/freeipa/ticket/3659
>
> https://fedorahosted.org/freeipa/ticket/4498
>
> If you see https://fedorahosted.org/freeipa/ticket/4498#comment:6 we
> discussed this use case.
> And I was about to fork it as said but then I realized that there is
> not good way on the KDC to determine the host you are coming from.
> So IMO it should be a policy decision on SSSD.
> There are two options:
> - short term solution: allow SSSD to have a local overwrite to
> require OTP if server offers different options.
> - longer term solution: actually have a per host policy that is
> centrally managed that is fetched per host and enforced by SSSD.
>
> Before filing tickets I would like to hear opinions on the matter.
If we are using a FAST channel using the credentials of the host then
you may be able to know (probably requires changes in the KDC to
internally retain/convey the information).
This is possible via SSSD, but will not work via kinit done by a
generic user, so normal kinit's would require 2FA all the time.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list