The above (pseudo) pull request contains four patches against FreeIPA
to enable the insertion of Authentication Indicators into Kerberos
tickets. The basic flow looks like this.

First, we patch ipa-pwd-extop to return a control indicating what
authentication method succeeded resulting in a successful bind.

Second, we patch ipa-otpd to check the returned control to ensure that
the bind resulted from an otp validation.

Third, we patch ipa-kdb to enable the KDC to return either the
encrypted timestamp or encrypted challenge preauth mechanism when the
user is configured for optional 2FA logins. Clients can then decide
whether to do 1FA or 2FA login (for kinit, sane behavior already

Forth, we patch ipa-kdb again to insert hard-coded authentication
indicators for either OTP or RADIUS.

Some explanation is required for the first two patches. Currently, it
is possible to do a 1FA through the otp preauthentication mechanism if
the user is configured for doing optional 2FA. However, because we want
to insert an authentication indicator in this code path, we need to
guarantee that a request going through the otp preauth mechanism
actually validates an OTP. This is the purpose of the control.

Items still on the TODO list:

  * Authentication Indicator enforcement
    - Upstream libkrb5 needs to grow funcs for reading indicators
    - Schema change to add indicators multi-value attr to services
    - ipa-kdb needs to implement check_policy_tgs()

  * SSSD needs to learn to handle optional 2FA

I will write up a project page for all of this tomorrow. But this small
code basically amounts to my brainstorming. It is not ready for merge,
just basic review.

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to