[Freeipa-users] OTP and cached credentials
Dmitri Pal
dpal at redhat.com
Thu Mar 12 22:26:29 UTC 2015
On 03/12/2015 04:59 PM, Jakub Hrozek wrote:
>> On 12 Mar 2015, at 21:32, Rob Verduijn <rob.verduijn at gmail.com> wrote:
>>
>> Hello,
>>
>> I was looking into otp authentication and found some articles on how to enable this in freeipa.
>>
>> I can't seem to figure out how this is going to deal with cashed credentials on a laptop that is not able to connect the ipa server.
>>
>> How is this going to work out when 'native OTP' is being used ?
> I'm sorry, but currently it doesn't as with the current (sssd-1.12.x) version we treat the long and one-time part as a single blob, so we can't cache it.
>
> In the next version, we'll work on prompting for and handling the short and long term parts of the authtok separately, so we'll be able to cache credentials.
>
Yes. Please do not use current version for laptops.
See the warning:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System-Level_Authentication_Guide/index.html#otp
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list