[Freeipa-users] Using FreeIPA OTP in a PAM module
Prashant Bapat
prashant at apigee.com
Sat Jun 27 07:36:46 UTC 2015
Aah ok !
Unfortunately I'm using Amazon Linux and it does not support SSSD. I ended
up using nss-pam-ldap, nscd and nslcd.
However this looks promising. Only for the servers exposed to Internet I
could use CentOS/Fedora and this method of authentication. Let me try this
and come back to you.
Thanks.
--Prashant
On 27 June 2015 at 10:17, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>
>
> ----- Original Message -----
> > Hi ,
> >
> > I'm exploring implementing a 2FA solution to my servers exposed to
> public.
> > Mainly to secure SSH with 2FA. The SSH keys and users are already in
> > FreeIPA.
> >
> > Is there a way to utilize the OTP inside FreeIPA during a user login to
> these
> > servers ? A user will have to enter the TOTP code bases on whats
> configured
> > in FreeIPA. Something along the lines of
> > https://github.com/google/google-authenticator/tree/master/libpam
> If you are using SSSD (pam_sss), it will automatically accept 2FA.
>
> You need to force OpenSSH to combine authentication methods, something
> like:
>
> AuthenticationMethods publickey,password:pam
> publickey,keyboard-interactive:pam
>
> Look into sshd_config manual page for details. This is feature of OpenSSH
> 6.2 or later.
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150627/eb8a2fc3/attachment.htm>
More information about the Freeipa-users
mailing list