On Mon, Sep 25, 2017 at 11:41:38AM -0500, Jeremy Utley via FreeIPA-users wrote: > That might be, but a quick read of the referenced document indicates it may > not work the way we want. All users will be using 2FA to access the jump > hosts. The way I read it, the Kerberos ticket will indicate that 2FA was > used - and by enforcing 2FA on the destination machines, the ticket will > still allow them in automatically. What we're looking to possibly do is > require 2FA use to the jump host, and then if they go to certain specific > hosts, they'll be required to use 2FA again to gain access there.
If you do not want to use the single-sign-on feature that Kerberos offers you on those hosts you can disable 'GSSAPIAuthentication' on those hosts in /etc/ssh/sshd_config (maybe you even want to disable 'PubkeyAuthentication'). HTH bye, Sumit > > I'll set up a test environment and see what I can figure out. Thanks for > the hint! > > Jeremy Utley > > On Mon, Sep 25, 2017 at 8:47 AM, Sumit Bose via FreeIPA-users < > email@example.com> wrote: > > > On Mon, Sep 25, 2017 at 08:25:30AM -0500, Jeremy Utley via FreeIPA-users > > wrote: > > > Hello all on the list! > > > > > > Kind of an odd question, but management has asked me to try to find this > > > out. We've been rolling out FreeIPA to replace OpenLDAP inside a > > > higher-security (PCI Compliant) part of our overall network. One of the > > > things we would like to possibly do is require 2FA (using Yubikeys) for > > > certain machines within that network, without creating a second FreeIPA > > > domain. For example, inside this domain we have jump hosts that will > > > require Yubikey 2FA to log in to, and from that point forward, Kerberos > > > would be used to move from one machine to another. However, for 2 > > specific > > > machines, we'd like to require a second 2FA authentication to those to > > > provide some additional security. Is this even possible? > > > > I think what you are looking for is documented here: > > https://access.redhat.com/documentation/en-US/Red_Hat_ > > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ > > Guide/auth-indicators.html > > > > HTH > > > > bye, > > Sumit > > > > > > > > Thanks, > > > > > > Jeremy Utley > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- firstname.lastname@example.org > > > To unsubscribe send an email to freeipa-users-leave@lists. > > fedorahosted.org > > _______________________________________________ > > FreeIPA-users mailing list -- email@example.com > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > _______________________________________________ > FreeIPA-users mailing list -- firstname.lastname@example.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org