[Freeipa-users] Using FreeIPA OTP in a PAM module
Jakub Hrozek
jhrozek at redhat.com
Tue Jun 30 07:31:55 UTC 2015
On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote:
> On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote:
> > On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote:
> > > Hi,
> > >
> > > I was able to set this up in a Fedora instance with SSSD and it works as
> > > expected. SSHD first uses the public key and then prompts for password
> > > which is ofcourse password+OTP.
> > >
> > > However, having a user enter the password+OTP every time he logs in during
> > > the day is kind of inconvenient. Is it possible to make sure the user has
> > > to login once and the credentials are cached for say 12/24 hours. I know
> > > this is possible just using the password. Question is, is this possible
> > > using password+OTP?
> >
> > We have an SSSD feature under review now that would help you:
> > https://fedorahosted.org/sssd/ticket/1807
> >
> > But to be honest, I'm not sure if we tested the patches with 2FA yet. We
> > should!
>
> hm, I agree we should, but I guess we should test that cached
> authentication does _not_ work with 2FA/OTP. Because it is expected that
> the OTP token only works once, so that e.g. it can be used in an
> insecure environment to set up a secure tunnel.
Sure, the second factor must not be reused :-) but couldn't we use the
cached auth to support cases like this where the second factor is to be
used only once per some time and use only the first factor in the
meantime?
>
> Maybe it would make sense to add a paragraph to
> https://fedorahosted.org/sssd/wiki/DesignDocs/CachedAuthentication and
> discuss OTP/2FA usage here or on sssd-devel.
Yes, whatever the result it, it should be documented, also in the man
pages, because currently it's not clear what happens.
More information about the Freeipa-users
mailing list