Winfried de Heiden via FreeIPA-users
<> writes:

> OTP using IPA 4.5 on CentOS seems to work well. However: I can force a user 
> to use OTP and/or a host. 

Authentication indicators won't work that way...

> Selecting a user, ALL authentication needs OTP. Since sudo in this case will 
> ask for OTP also, this turn out
> quite inconvenient. Is is possible to select only certain services for OTP. 
> for example:
> login using SSH --> OTP
> login ftp --> OTP
> console --> password only
> sudo --> password only

Not easily with FreeIPA, but I do something similar with Privacyidea and
Yubikeys.  In FreeIPA I authenticate my user with RADIUS (freeradius and
Privacyidea).  In Privacyidea my user has a Yubukey token assigned, so I
log on with password+OTP when logging in.  When I do sudo I have a
special PAM config: Users with a yubikey authenticate only with OTP
instead of "NOPASSWD" - that way I don't need to type my password, but
still have some authentication going on.

You can't do that with tokens defined in FreeIPA, but looking at PAM
options might help you to get something working. Do you use hardware
tokens or a smartphone app/soft token?


This space is intentionally left blank.
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to