On Mon, Sep 25, 2017 at 08:25:30AM -0500, Jeremy Utley via FreeIPA-users wrote:
> Hello all on the list!
> 
> Kind of an odd question, but management has asked me to try to find this
> out.  We've been rolling out FreeIPA to replace OpenLDAP inside a
> higher-security (PCI Compliant) part of our overall network.  One of the
> things we would like to possibly do is require 2FA (using Yubikeys) for
> certain machines within that network, without creating a second FreeIPA
> domain.  For example, inside this domain we have jump hosts that will
> require Yubikey 2FA to log in to, and from that point forward, Kerberos
> would be used to move from one machine to another.  However, for 2 specific
> machines, we'd like to require a second 2FA authentication to those to
> provide some additional security.  Is this even possible?

I think what you are looking for is documented here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/auth-indicators.html

HTH

bye,
Sumit

> 
> Thanks,
> 
> Jeremy Utley

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to