On Mon, Sep 25, 2017 at 08:25:30AM -0500, Jeremy Utley via FreeIPA-users wrote: > Hello all on the list! > > Kind of an odd question, but management has asked me to try to find this > out. We've been rolling out FreeIPA to replace OpenLDAP inside a > higher-security (PCI Compliant) part of our overall network. One of the > things we would like to possibly do is require 2FA (using Yubikeys) for > certain machines within that network, without creating a second FreeIPA > domain. For example, inside this domain we have jump hosts that will > require Yubikey 2FA to log in to, and from that point forward, Kerberos > would be used to move from one machine to another. However, for 2 specific > machines, we'd like to require a second 2FA authentication to those to > provide some additional security. Is this even possible?
I think what you are looking for is documented here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/auth-indicators.html HTH bye, Sumit > > Thanks, > > Jeremy Utley > _______________________________________________ > FreeIPA-users mailing list -- firstname.lastname@example.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org