On Mon, Sep 25, 2017 at 11:41:38AM -0500, Jeremy Utley via FreeIPA-users wrote:
> That might be, but a quick read of the referenced document indicates it may
> not work the way we want.  All users will be using 2FA to access the jump
> hosts.  The way I read it, the Kerberos ticket will indicate that 2FA was
> used - and by enforcing 2FA on the destination machines, the ticket will
> still allow them in automatically.  What we're looking to possibly do is
> require 2FA use to the jump host, and then if they go to certain specific
> hosts, they'll be required to use 2FA again to gain access there.

If you do not want to use the single-sign-on feature that Kerberos
offers you on those hosts you can disable 'GSSAPIAuthentication' on
those hosts in /etc/ssh/sshd_config (maybe you even want to disable
'PubkeyAuthentication').

HTH

bye,
Sumit

> 
> I'll set up a test environment and see what I can figure out.  Thanks for
> the hint!
> 
> Jeremy Utley
> 
> On Mon, Sep 25, 2017 at 8:47 AM, Sumit Bose via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
> 
> > On Mon, Sep 25, 2017 at 08:25:30AM -0500, Jeremy Utley via FreeIPA-users
> > wrote:
> > > Hello all on the list!
> > >
> > > Kind of an odd question, but management has asked me to try to find this
> > > out.  We've been rolling out FreeIPA to replace OpenLDAP inside a
> > > higher-security (PCI Compliant) part of our overall network.  One of the
> > > things we would like to possibly do is require 2FA (using Yubikeys) for
> > > certain machines within that network, without creating a second FreeIPA
> > > domain.  For example, inside this domain we have jump hosts that will
> > > require Yubikey 2FA to log in to, and from that point forward, Kerberos
> > > would be used to move from one machine to another.  However, for 2
> > specific
> > > machines, we'd like to require a second 2FA authentication to those to
> > > provide some additional security.  Is this even possible?
> >
> > I think what you are looking for is documented here:
> > https://access.redhat.com/documentation/en-US/Red_Hat_
> > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> > Guide/auth-indicators.html
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > >
> > > Thanks,
> > >
> > > Jeremy Utley
> >
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-leave@lists.
> > fedorahosted.org
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> >

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to