[Freeipa-users] Using FreeIPA OTP in a PAM module

Wed Jul 1 01:12:03 UTC 2015

HI Simo,

Thanks for the reply. Could you please elaborate or point me to some
documentation on how to set this up.

What I want to be able to achieve is that a user should login with a 2FA
once a day and all subsequent logins are allowed thru public key only.

Regards.
--Prashant

On 30 June 2015 at 15:44, Simo Sorce <simo at redhat.com> wrote:

> On Tue, 2015-06-30 at 10:06 +0200, Sumit Bose wrote:
> > On Tue, Jun 30, 2015 at 09:31:55AM +0200, Jakub Hrozek wrote:
> > > On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote:
> > > > On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote:
> > > > > On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I was able to set this up in a Fedora instance with SSSD and it
> works as
> > > > > > expected. SSHD first uses the public key and then prompts for
> password
> > > > > > which is ofcourse password+OTP.
> > > > > >
> > > > > > However, having a user enter the password+OTP every time he logs
> in during
> > > > > > the day is kind of inconvenient. Is it possible to make sure the
> user has
> > > > > > to login once and the credentials are cached for say 12/24
> hours. I know
> > > > > > this is possible just using the password. Question is, is this
> possible
> > > > > > using password+OTP?
> > > > >
> > > > > We have an SSSD feature under review now that would help you:
> > > > >     https://fedorahosted.org/sssd/ticket/1807
> > > > >
> > > > > But to be honest, I'm not sure if we tested the patches with 2FA
> yet. We
> > > > > should!
> > > >
> > > > hm, I agree we should, but I guess we should test that cached
> > > > authentication does _not_ work with 2FA/OTP. Because it is expected
> that
> > > > the OTP token only works once, so that e.g. it can be used in an
> > > > insecure environment to set up a secure tunnel.
> > >
> > > Sure, the second factor must not be reused :-) but couldn't we use the
> > > cached auth to support cases like this where the second factor is to be
> > > used only once per some time and use only the first factor in the
> > > meantime?
> >
> > I'm a bit reluctant here. If the two factors are intercepted in an
> > insecure environment the attacker will still have a valid password which
> > can be used for some time. Additionally, iirc cached authentication is
> > not aware of the service used. If e.g. OTP was used to just get a
> > response from some unprotected and unprivileged service the intercepted
> > password can be used to log in with ssh as well. So I guess we need a
> > careful discussion here.
>
> The solution for this environments already exists and it is called
> GSSAPI. You can obtain a ticket with 2FA and then use your TGT for 10 or
> more hours. There is no need to invent broken ways to skip two factor
> auth when we already have a way to make this easy *and* secure.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150701/91f0ca65/attachment.htm>