[Freeipa-users] OTP vs sudo
Bendl, Kurt
Kurt.Bendl at nrel.gov
Tue Jul 28 17:02:17 UTC 2015
Thank you for the reply, Martin.
This is what I'd expected, even though I was hoping for a workaround. ;-)
The per-service OTP is a hot button for us, as well as sudo.
For now, we'll go the PrivacyIDEA + RADIUS route for OTP, and look
forward to all the future awesomeness!
-Kurt
On 7/24/15, 1:43 AM, "Martin Kosek" <mkosek at redhat.com> wrote:
>On 07/16/2015 06:58 PM, Bendl, Kurt wrote:
>> I'm planning our implementation of IdM/IPA, and I'm unclear about how I
>>can implement IPA's OTP for privileged access.
>>
>> I need to be able to set up systems so:
>> * accounts can auth using traditional userid/password
>> * privileged access (sudo) requires OTP
>>
>> We've done some testing, injecting a 3rd party OTP solution
>>(PrivacyIDEA) into the mix. This seems to work. But, if I can make IPA's
>>built-in mojo work, I'd prefer to keep it all in the family.
>
>Hello Kurt,
>
>FreeIPA OTP cannot be configured at the moment to only require OTP in
>some
>services. We plan this for the future
>(https://fedorahosted.org/freeipa/ticket/433), but we are not there yet.
>
>Sudo is different though as it is not a classic Kerberos service per se,
>this
>policy would need to be enforced in sudo (SSSD?) itself. CCing Jakub and
>Nathaniel, to see if they know about any hack allowing this.
More information about the Freeipa-users
mailing list