[Freeipa-users] Using FreeIPA OTP in a PAM module
Alexander Bokovoy
abokovoy at redhat.com
Sat Jun 27 04:47:00 UTC 2015
----- Original Message -----
> Hi ,
>
> I'm exploring implementing a 2FA solution to my servers exposed to public.
> Mainly to secure SSH with 2FA. The SSH keys and users are already in
> FreeIPA.
>
> Is there a way to utilize the OTP inside FreeIPA during a user login to these
> servers ? A user will have to enter the TOTP code bases on whats configured
> in FreeIPA. Something along the lines of
> https://github.com/google/google-authenticator/tree/master/libpam
If you are using SSSD (pam_sss), it will automatically accept 2FA.
You need to force OpenSSH to combine authentication methods, something like:
AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam
Look into sshd_config manual page for details. This is feature of OpenSSH 6.2 or later.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list