That might be, but a quick read of the referenced document indicates it may not work the way we want. All users will be using 2FA to access the jump hosts. The way I read it, the Kerberos ticket will indicate that 2FA was used - and by enforcing 2FA on the destination machines, the ticket will still allow them in automatically. What we're looking to possibly do is require 2FA use to the jump host, and then if they go to certain specific hosts, they'll be required to use 2FA again to gain access there.
I'll set up a test environment and see what I can figure out. Thanks for the hint! Jeremy Utley On Mon, Sep 25, 2017 at 8:47 AM, Sumit Bose via FreeIPA-users < email@example.com> wrote: > On Mon, Sep 25, 2017 at 08:25:30AM -0500, Jeremy Utley via FreeIPA-users > wrote: > > Hello all on the list! > > > > Kind of an odd question, but management has asked me to try to find this > > out. We've been rolling out FreeIPA to replace OpenLDAP inside a > > higher-security (PCI Compliant) part of our overall network. One of the > > things we would like to possibly do is require 2FA (using Yubikeys) for > > certain machines within that network, without creating a second FreeIPA > > domain. For example, inside this domain we have jump hosts that will > > require Yubikey 2FA to log in to, and from that point forward, Kerberos > > would be used to move from one machine to another. However, for 2 > specific > > machines, we'd like to require a second 2FA authentication to those to > > provide some additional security. Is this even possible? > > I think what you are looking for is documented here: > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ > Guide/auth-indicators.html > > HTH > > bye, > Sumit > > > > > Thanks, > > > > Jeremy Utley > > > _______________________________________________ > > FreeIPA-users mailing list -- firstname.lastname@example.org > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- email@example.com > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org