<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 12/11/2014 06:32 PM,
      <a class="moz-txt-link-abbreviated" href="mailto:freeipa@pettyvices.com">freeipa@pettyvices.com</a> wrote:<br>
    </div>
    <blockquote
      cite="mid:alpine.DEB.2.02.1412111523250.24600@e.crebbs.net"
      type="cite">
      <br>
      I'd like to be able to require 2FA on *certain* hosts and allow
      just passwords on others.
      <br>
      <br>
      It seems you can check both "passwords" and "2FA" under the user.
      <br>
      <br>
      I was hoping I could create a HBAC such that certain hosts would
      only allow 2FA, but I can't see an obvious way to do that.
      <br>
      <br>
      Is it possible?  Help on how would be great.  If not, feature
      request?
      <br>
      <br>
      thanks,
      <br>
      <br>
      -t
      <br>
      <br>
    </blockquote>
    We have several tickets:<br>
    <meta charset="utf-8">
    <br id="docs-internal-guid-fd047ea8-3ba4-8da4-1788-0e11161e8f1e">
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><a
        href="https://fedorahosted.org/freeipa/ticket/433"
        style="text-decoration:none;"><span
style="font-size:13px;font-family:Arial;color:#1155cc;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;">https://fedorahosted.org/freeipa/ticket/433</span></a></p>
    <p dir="ltr"
      style="line-height:1.15;margin-top:0pt;margin-bottom:0pt;"><a
        href="https://fedorahosted.org/freeipa/ticket/3659"
        style="text-decoration:none;"><span
style="font-size:13px;font-family:Arial;color:#1155cc;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;">https://fedorahosted.org/freeipa/ticket/3659</span></a></p>
    <a href="https://fedorahosted.org/freeipa/ticket/4498"
      style="text-decoration:none;"><span
style="font-size:13px;font-family:Arial;color:#1155cc;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;">https://fedorahosted.org/freeipa/ticket/4498</span></a><br>
    <br>
    If you see <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4498#comment:6">https://fedorahosted.org/freeipa/ticket/4498#comment:6</a> we
    discussed this use case.<br>
    And I was about to fork it as said but then I realized that there is
    not good way on the KDC to determine the host you are coming from.<br>
    So IMO it should be a policy decision on SSSD.<br>
    There are two options: <br>
    - short term solution: allow SSSD to have a local overwrite to
    require OTP if server offers different options.<br>
    - longer term solution: actually have a per host policy that is
    centrally managed that is fetched per host and enforced by SSSD.<br>
    <br>
    Before filing tickets I would like to hear opinions on the matter.<br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>