On 25/08/2023 14.20, Ole Froslie via FreeIPA-users wrote:
Hi all,
I do acknowledge that this topic has been discussed in various threads, but I
am struggling to get it working and to understand the concepts.
My use cases are to use OTP 2FA with for example Google Authenticator as
additional security measure for
1. access to the freeipa server itself for selected users (typically admins)
2. access to selected linux servers enrolled in FreeIPA . All users with any
access to these ,should always use OTP on these servers. No requirement for OTP
for access to other servers.
3. access to applications using LDAP integrations to FreeIPA
The first use case works right out of the box. I have managed to configure
individual users for OTP in the User Auth settings, assign tokens and get it
working using Google Authenticated.
I am struggling with the second use case for server access.
Instead of diving into all the detailed configs and logs and to understand why
it is not working I would rather start with how it is supposed to work at the
high level, to ensure I have gotten the basics correct first.
Is the use case supported at all?
How should I configure the selected users FreeIPA ?
How should I configure the selected hosts in FreeIPA ?
How should I configure on the selected hosts, i.e with respect to SSSD, PAM
etc.
You are looking for a feature called "Kerberos authentication
indicators". FreeIPA's Kerberos KDC annotates Kerberos tickets with auth
indicators, e.g. user with 2FA login have an "otp" indicator in their TGT.
A host or service can require authentication indicators in two different
ways:
1. The KDC can require and enforce authentication indicators when a user
requests a ticket for a host or service principal.
2. SSSD can require authentication indicators for a PAM service (e.g.
sudo requires 2FA).
These documents explain the feature in more details:
-
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html#enforcing-authentication-indicators
- https://www.freeipa.org/page/V4/Authentication_Indicators
-
https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/auth-indicators
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
