[Freeipa-users] IPA & Yubikey

[Nathaniel McCallum]

On Wed, 2016-04-27 at 10:22 +0200, Martin Kosek wrote:
> On 04/22/2016 10:40 PM, Jeremy Utley wrote:
> > Hello all!
> > 
> > I'm quite close to reaching the ideal point with our new FreeIPA
> > setup, but one 
> > thing that is standing in the way is 2FA.  I know FreeIPA has
> > support for Google 
> > Auth, FreeOTP, and Yubikey.  We'd like to go with Yubikeys over the
> > phone-based 
> > systems, but a lot of the docs regarding Yubikey seem to either be
> > out-dated, or 
> > not real clear (at least to me).  So I'd like to ask a few
> > questions to make 
> > sure I'm understanding correctly.
> > 
> > 1) It looks like the normal setup of a Yubikey is to plug it into a
> > machine and 
> > run the "ipa otptoken-add-yubikey" command.  This implies that the
> > machine that 
> > sets up the Yubikey needs to be part of the FreeIPA domain, which
> > presents 
> > somewhat of a problem for us, as our current IPA setup has no
> > desktops, and is 
> > in a remote "lights-out" datacenter an hour's drive from our
> > office.  I did see 
> > a post recently in the archives of someone figuring out how to set
> > up a Yubikey 
> > via the web interface 
> > (https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.
> > html) - would 
> > this be viable?
> 
> Interesting question/suggestion, CCing Nathaniel on this one, he
> authored the
> feature.

Yes, this is completely viable. The otptoken-add-yubikey is just a
convenience wrapper. It simply programs the Yubikey with the secret
that is also contained in the qr code. If you program this secret
directly yourself, there is no need to use the otptoken-add-yubikey
command.

> > 2) Does the otptoken-add-yubikey command actually change the
> > programming of the 
> > Yubikey, or does it simply read it's configuration?  We have some
> > users who are 
> > already using a Yubikey for personal stuff, and we'd like to allow
> > those users 
> > to continue to use their existing Yubikey to auth to our IPA
> > domain, but if the 
> > add command changes the programming of the key, that may not be
> > possible without 
> > using the second slot, and if users are already using the second
> > slot, they are 
> > out of luck.

The command programs the YubiKey with the secret value that is in the
QR code. You can do this yourself using Yubico's utilities if you don't
want to use our tool.

However, if users are already using both slots, you're out of luck
anyway since there is no place to store the new secret key. This is a
limitation of YubiKey, not FreeIPA. It would be most unwise to try to
share secrets with another authenticator to overcome this limitation.

> > 3) Does Yubikey auth require talking to the outside world to
> > function?  Our IPA 
> > setup is within a secure zone, with no direct connectivity to the
> > outside world, 
> > so if this is necessary, it would be a possible deal-breaker for
> > these.
> 
> None of the FreeIPA setup should require communication with the
> outside world,
> maybe except some of the current DNS checks during validation. If it
> does, it
> sounds as a bug to me, as I know about multiple deployments of
> FreeIPA in such
> environments.

No, YubiKey - when used with FreeIPA - uses the HOTP protocol. No
network connectivity is required.