[Freeipa-users] Using FreeIPA OTP in a PAM module
Prashant Bapat
prashant at apigee.com
Tue Jun 30 06:04:55 UTC 2015
Hi,
I was able to set this up in a Fedora instance with SSSD and it works as
expected. SSHD first uses the public key and then prompts for password
which is ofcourse password+OTP.
However, having a user enter the password+OTP every time he logs in during
the day is kind of inconvenient. Is it possible to make sure the user has
to login once and the credentials are cached for say 12/24 hours. I know
this is possible just using the password. Question is, is this possible
using password+OTP?
Thanks.
--Prashant
On 27 June 2015 at 13:06, Prashant Bapat <prashant at apigee.com> wrote:
> Aah ok !
>
> Unfortunately I'm using Amazon Linux and it does not support SSSD. I ended
> up using nss-pam-ldap, nscd and nslcd.
>
> However this looks promising. Only for the servers exposed to Internet I
> could use CentOS/Fedora and this method of authentication. Let me try this
> and come back to you.
>
> Thanks.
> --Prashant
>
> On 27 June 2015 at 10:17, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>
>>
>>
>> ----- Original Message -----
>> > Hi ,
>> >
>> > I'm exploring implementing a 2FA solution to my servers exposed to
>> public.
>> > Mainly to secure SSH with 2FA. The SSH keys and users are already in
>> > FreeIPA.
>> >
>> > Is there a way to utilize the OTP inside FreeIPA during a user login to
>> these
>> > servers ? A user will have to enter the TOTP code bases on whats
>> configured
>> > in FreeIPA. Something along the lines of
>> > https://github.com/google/google-authenticator/tree/master/libpam
>> If you are using SSSD (pam_sss), it will automatically accept 2FA.
>>
>> You need to force OpenSSH to combine authentication methods, something
>> like:
>>
>> AuthenticationMethods publickey,password:pam
>> publickey,keyboard-interactive:pam
>>
>> Look into sshd_config manual page for details. This is feature of OpenSSH
>> 6.2 or later.
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150630/bef17f5e/attachment.htm>
More information about the Freeipa-users
mailing list