Hello the List,

This doesn't quite work. We have two hosts, we want a user to just use a 
password on one host, and password + OTP on a second host.

I have set the FreeIPA server to use both password and otp+password:

ipa config-mod --user-auth-type={password,otp}

One host (test2fa02) left with no required auth indicator

One host (test2fa01) with otp as a required auth indicator.

ipa host-mod  --auth-ind=otp test2fa01

I have a user with a token, and no auth-types chosen (i.e. using defaults) and 
an OTP token set.

The user is able to log in to test2fa02 which does not require OTP, but I am 
unable to log into test2fa01

I set the user to use OTP only two factor authentication works, but is required 
by both hosts

I set the default to use OTP only, two factor authentication works, but is 
required on both hosts

If I unset the auth options on user and server the password works on test2fa02, 
but auth fails on test2fa01

If I unset auth for user, and set server auth to password and OTP the password 
works on test2fa02, but auth fails on test2fa01

If I unset auth for server, and set auth for user to password and OTP the 
password works on test2fa02, but auth fails on test2fa01

We only want 2FA required on specific hosts, the other hosts should 
authenticate with just password.


Any suggestions?

Aaron
-----Original Message-----
From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Monday, 20 November 2017 12:59 PM
To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org>
Subject: RE: [Freeipa-users] Re: Enabling two-factor by host

Thanks Sumit,

This looks like what we're after, I'll follow up after some testing.

Aaron

-----Original Message-----
From: Sumit Bose via FreeIPA-users 
[mailto:freeipa-users@lists.fedorahosted.org] 
Sent: Friday, 17 November 2017 9:06 PM
To: freeipa-users@lists.fedorahosted.org
Cc: Sumit Bose <sb...@redhat.com>
Subject: [Freeipa-users] Re: Enabling two-factor by host

On Fri, Nov 17, 2017 at 04:09:01AM +0000, Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
> 
> Is it possible to enable two-factor authentication using Google Authenticator 
> on FreeIPA on specific hosts or groups of hosts?
> 
> Alternatively, are there any recommendations on modifying the Pam 
> configuration on these 2FA required machines to grab the OTP token from 
> FreeIPA when a user logs in?

Please check if authentication indicators is waht you are looking for, see e.g.
https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indicators/
for details, look especially for 'Enforcing 2FA on a host principal'.

HTH

bye,
Sumit

> 
> Regards,
> 
> Aaron
> 
> Get Outlook for iOS<https://aka.ms/o0ukef>

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to 
> freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to