[Freeipa-users] interesting Kerberos issue
Janelle
janellenicole80 at gmail.com
Mon May 18 20:04:02 UTC 2015
On 5/18/15 7:47 AM, Nathaniel McCallum wrote:
> On Mon, 2015-05-18 at 09:45 -0500, Janelle wrote:
>> Ok, let me ask this a different way, because maybe there is a way,
>> and I am just not seeing it.
>>
>> I have 2 datacenters with typical bastions in each. I have enabled
>> OTP and that works fine via ssh. But the user has to login to both
>> and opening ssh tunnels is problematic at best.
>>
>> Using all the creativity in this list, maybe someone knows of another
>> way to have a user authenticate from a Mac where they would only have
>> to do it once to get their ticket?
>>
>> I guess I can't think of anything, but no harm in asking.
> Without support for the OTP pre-authentication mechanism, I don't know
> of any way to do this while still retaining the security properties of
> Kerberos. Basically, you'll have to hand over your password to a third
> party (which has OTP support). This is ill advised.
>
> Nathaniel
Going to see about installing MIT version from source on Yosemite and
see what happens.. Current is 1.13.2
Will let you know
~J
More information about the Freeipa-users
mailing list