[Freeipa-users] Using FreeIPA OTP in a PAM module
Simo Sorce
simo at redhat.com
Tue Jun 30 10:14:30 UTC 2015
On Tue, 2015-06-30 at 10:06 +0200, Sumit Bose wrote:
> On Tue, Jun 30, 2015 at 09:31:55AM +0200, Jakub Hrozek wrote:
> > On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote:
> > > On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote:
> > > > On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote:
> > > > > Hi,
> > > > >
> > > > > I was able to set this up in a Fedora instance with SSSD and it works as
> > > > > expected. SSHD first uses the public key and then prompts for password
> > > > > which is ofcourse password+OTP.
> > > > >
> > > > > However, having a user enter the password+OTP every time he logs in during
> > > > > the day is kind of inconvenient. Is it possible to make sure the user has
> > > > > to login once and the credentials are cached for say 12/24 hours. I know
> > > > > this is possible just using the password. Question is, is this possible
> > > > > using password+OTP?
> > > >
> > > > We have an SSSD feature under review now that would help you:
> > > > https://fedorahosted.org/sssd/ticket/1807
> > > >
> > > > But to be honest, I'm not sure if we tested the patches with 2FA yet. We
> > > > should!
> > >
> > > hm, I agree we should, but I guess we should test that cached
> > > authentication does _not_ work with 2FA/OTP. Because it is expected that
> > > the OTP token only works once, so that e.g. it can be used in an
> > > insecure environment to set up a secure tunnel.
> >
> > Sure, the second factor must not be reused :-) but couldn't we use the
> > cached auth to support cases like this where the second factor is to be
> > used only once per some time and use only the first factor in the
> > meantime?
>
> I'm a bit reluctant here. If the two factors are intercepted in an
> insecure environment the attacker will still have a valid password which
> can be used for some time. Additionally, iirc cached authentication is
> not aware of the service used. If e.g. OTP was used to just get a
> response from some unprotected and unprivileged service the intercepted
> password can be used to log in with ssh as well. So I guess we need a
> careful discussion here.
The solution for this environments already exists and it is called
GSSAPI. You can obtain a ticket with 2FA and then use your TGT for 10 or
more hours. There is no need to invent broken ways to skip two factor
auth when we already have a way to make this easy *and* secure.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list