[Freeipa-users] Host based 2FA ?

Dmitri Pal dpal at redhat.com
Fri Dec 12 18:32:03 UTC 2014 

On 12/12/2014 01:27 PM, Simo Sorce wrote:
> On Fri, 12 Dec 2014 13:17:18 -0500
> Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 12/12/2014 01:07 PM, Simo Sorce wrote:
>>> On Thu, 11 Dec 2014 18:30:06 -0500
>>> Dmitri Pal <dpal at redhat.com> wrote:
>>>
>>>> On 12/11/2014 06:32 PM, freeipa at pettyvices.com wrote:
>>>>> I'd like to be able to require 2FA on *certain* hosts and allow
>>>>> just passwords on others.
>>>>>
>>>>> It seems you can check both "passwords" and "2FA" under the user.
>>>>>
>>>>> I was hoping I could create a HBAC such that certain hosts would
>>>>> only allow 2FA, but I can't see an obvious way to do that.
>>>>>
>>>>> Is it possible?  Help on how would be great.  If not, feature
>>>>> request?
>>>>>
>>>>> thanks,
>>>>>
>>>>> -t
>>>>>
>>>> We have several tickets:
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/433
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3659
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4498
>>>>
>>>> If you see https://fedorahosted.org/freeipa/ticket/4498#comment:6
>>>> we discussed this use case.
>>>> And I was about to fork it as said but then I realized that there
>>>> is not good way on the KDC to determine the host you are coming
>>>> from. So IMO it should be a policy decision on SSSD.
>>>> There are two options:
>>>> - short term solution: allow SSSD to have a local overwrite to
>>>> require OTP if server offers different options.
>>>> - longer term solution: actually have a per host policy that is
>>>> centrally managed that is fetched per host and enforced by SSSD.
>>>>
>>>> Before filing tickets I would like to hear opinions on the matter.
>>> If we are using a FAST channel using the credentials of the host
>>> then you may be able to know (probably requires changes in the KDC
>>> to internally retain/convey the information).
>>> This is possible via SSSD, but will not work via kinit done by a
>>> generic user, so normal kinit's would require 2FA all the time.
>>>
>>> Simo.
>>>
>> Can kinit do FAST? Is there some kind of kinit flag to use FAST?
> Yes kinit can do FAST, but is cumbersome to manually do it.
>
>> May be in such setup we will require all clients to use FAST for the
>> accounts that have several options configured.
> It won't help, users do not have access to the host keys so they can't
> do FAST with *those* keys.
>
>> Then we will know the principal used to armor the connection and can
>> make policy decisions based on it.
> We can do this with SSSD because it has access to the host key, being a
> privileged process. Normal user's can't.
>
> Simo.
>
What about kinit working with GSS proxy in this case?
Can that help?
May be we can convince MIT to add an option to proxy kinit via GSS proxy 
and use GSS proxy to armor?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list