[Freeipa-users] Re: 2FA only for certain hosts/host groups

Wed, 29 Mar 2023 14:06:53 -0700 

On 29/03/2023 21:48, Ronald Wimmer via FreeIPA-users wrote:

On 29.03.23 22:30, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to enforce the second factor for a user only when trying to login to specific hosts/host groups? 


List here says yes... 
https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indicators/


I'm gonna give it a try.



Sorry. Clicked on send to early... As I understand the link above, it 
would just be a


ipa host-mod  --auth-ind=otp secure.linuxhost.at

instead of enabling the option for some user. Right?


(or ipa service-mod --auth-ind=otp http/secure.linuxhost.at for a 
certain service)



But when I set the auth indicator on a host it does not seem to work. 
What am I missing?



Get a new TGT without providing a second factor. Then request a service 
ticket for host/secure.linuxhost.at; the KDC should refuse to hand out a 
ticket since your TGT doesn't have the 'otp' authentication indicator.


https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html#kerberos-authentication-indicators


See also pam_sss_gss which can used to grant/deny authentication to a 
PAM service based on the authentication indicators present on the user's 
host/$HOSTNAME service ticket:


https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html#enforcing-authentication-indicators


Services that authenticate clients via Kerberos authentication are also 
able to find out which authentication indicators are present on a 
client's service ticket, but I think this is quite new functionality 
that isn't implemented outside of pam_sss_gss so far.


--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to