[Freeipa-users] Host based 2FA ?

Dmitri Pal dpal at redhat.com
Fri Dec 12 18:37:53 UTC 2014 

On 12/12/2014 01:32 PM, Dmitri Pal wrote:
> On 12/12/2014 01:27 PM, Simo Sorce wrote:
>> On Fri, 12 Dec 2014 13:17:18 -0500
>> Dmitri Pal <dpal at redhat.com> wrote:
>>
>>> On 12/12/2014 01:07 PM, Simo Sorce wrote:
>>>> On Thu, 11 Dec 2014 18:30:06 -0500
>>>> Dmitri Pal <dpal at redhat.com> wrote:
>>>>
>>>>> On 12/11/2014 06:32 PM, freeipa at pettyvices.com wrote:
>>>>>> I'd like to be able to require 2FA on *certain* hosts and allow
>>>>>> just passwords on others.
>>>>>>
>>>>>> It seems you can check both "passwords" and "2FA" under the user.
>>>>>>
>>>>>> I was hoping I could create a HBAC such that certain hosts would
>>>>>> only allow 2FA, but I can't see an obvious way to do that.
>>>>>>
>>>>>> Is it possible?  Help on how would be great.  If not, feature
>>>>>> request?
>>>>>>
>>>>>> thanks,
>>>>>>
>>>>>> -t
>>>>>>
>>>>> We have several tickets:
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/433
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/3659
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/4498
>>>>>
>>>>> If you see https://fedorahosted.org/freeipa/ticket/4498#comment:6
>>>>> we discussed this use case.
>>>>> And I was about to fork it as said but then I realized that there
>>>>> is not good way on the KDC to determine the host you are coming
>>>>> from. So IMO it should be a policy decision on SSSD.
>>>>> There are two options:
>>>>> - short term solution: allow SSSD to have a local overwrite to
>>>>> require OTP if server offers different options.
>>>>> - longer term solution: actually have a per host policy that is
>>>>> centrally managed that is fetched per host and enforced by SSSD.
>>>>>
>>>>> Before filing tickets I would like to hear opinions on the matter.
>>>> If we are using a FAST channel using the credentials of the host
>>>> then you may be able to know (probably requires changes in the KDC
>>>> to internally retain/convey the information).
>>>> This is possible via SSSD, but will not work via kinit done by a
>>>> generic user, so normal kinit's would require 2FA all the time.
>>>>
>>>> Simo.
>>>>
>>> Can kinit do FAST? Is there some kind of kinit flag to use FAST?
>> Yes kinit can do FAST, but is cumbersome to manually do it.
>>
>>> May be in such setup we will require all clients to use FAST for the
>>> accounts that have several options configured.
>> It won't help, users do not have access to the host keys so they can't
>> do FAST with *those* keys.
>>
>>> Then we will know the principal used to armor the connection and can
>>> make policy decisions based on it.
>> We can do this with SSSD because it has access to the host key, being a
>> privileged process. Normal user's can't.
>>
>> Simo.
>>
> What about kinit working with GSS proxy in this case?
> Can that help?
> May be we can convince MIT to add an option to proxy kinit via GSS 
> proxy and use GSS proxy to armor?
>
Also is kinit is a requirement?
AFAIK if kinit is used and not is going via FAST then OTP is not 
possible at all.
So we can have a policy to allow or not allow any authentication without 
FAST.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list