[Freeipa-users] OTP vs sudo
Martin Kosek
mkosek at redhat.com
Fri Jul 24 07:43:40 UTC 2015
On 07/16/2015 06:58 PM, Bendl, Kurt wrote:
> I'm planning our implementation of IdM/IPA, and I'm unclear about how I can implement IPA's OTP for privileged access.
>
> I need to be able to set up systems so:
> * accounts can auth using traditional userid/password
> * privileged access (sudo) requires OTP
>
> We've done some testing, injecting a 3rd party OTP solution (PrivacyIDEA) into the mix. This seems to work. But, if I can make IPA's built-in mojo work, I'd prefer to keep it all in the family.
Hello Kurt,
FreeIPA OTP cannot be configured at the moment to only require OTP in some
services. We plan this for the future
(https://fedorahosted.org/freeipa/ticket/433), but we are not there yet.
Sudo is different though as it is not a classic Kerberos service per se, this
policy would need to be enforced in sudo (SSSD?) itself. CCing Jakub and
Nathaniel, to see if they know about any hack allowing this.
More information about the Freeipa-users
mailing list