[Freeipa-users] Using FreeIPA OTP in a PAM module
Sumit Bose
sbose at redhat.com
Tue Jun 30 07:22:13 UTC 2015
On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote:
> On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote:
> > Hi,
> >
> > I was able to set this up in a Fedora instance with SSSD and it works as
> > expected. SSHD first uses the public key and then prompts for password
> > which is ofcourse password+OTP.
> >
> > However, having a user enter the password+OTP every time he logs in during
> > the day is kind of inconvenient. Is it possible to make sure the user has
> > to login once and the credentials are cached for say 12/24 hours. I know
> > this is possible just using the password. Question is, is this possible
> > using password+OTP?
>
> We have an SSSD feature under review now that would help you:
> https://fedorahosted.org/sssd/ticket/1807
>
> But to be honest, I'm not sure if we tested the patches with 2FA yet. We
> should!
hm, I agree we should, but I guess we should test that cached
authentication does _not_ work with 2FA/OTP. Because it is expected that
the OTP token only works once, so that e.g. it can be used in an
insecure environment to set up a secure tunnel.
Maybe it would make sense to add a paragraph to
https://fedorahosted.org/sssd/wiki/DesignDocs/CachedAuthentication and
discuss OTP/2FA usage here or on sssd-devel.
bye,
Sumit
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list