What VPN server are you using & how do you currently integrate it with FreeIPA?
If you integrate via PAM, I think the following is possible, but it is untested--it's just what I've pulled together in my notes, I haven't got around to actually trying it yet. You can allow a user to use _either_ normal password authentication, or OTP: ipa user-mod myuser --user-auth-type=password,otp Now, pam_sss will prompt for 'first factor' and 'second factor (optional)' - if the user just hits enter then they can still log in with password alone. If they do provide a second factor, there will be an 'authentication indicator' included in their TGT which can be checked later on by the pam_sss_gss_module. On your VPN server, add the pam_sss_gss module to the vpn service's PAM module stack. It has to go after pam_sss has prompted the user & obtained a TGT; I guess the 'required' control flag is the right thing to use here. But the exact position will depend on what else you have in your module stack. Tell sssd to allow the use of pam_sss_gss by setting pam_gssapi_services = myvpn, and configure it to require the 'otp' indicator on the user's TGT by setting pam_gssapi_indicators_map = myvpn:otp. Both those settings are in the [pam] section of sssd.conf. (As an aside, I wonder why the former setting is needed--only root should be able to modify pam stacks; and why the latter setting couldn't have been implemented by a module argument... it would have been nicer to keep all the PAM config in once place...) The remaining bit of work is to get the VPN server to understand the prompts from pam_sss & provide the password to the 'first factor' prompt and the OTP to the 'second factor' prompt. -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
