On 01/12/2013 07:17 PM, Dale Macartney wrote: > > Evening all > > So, basis of my testing environment is as follows > > RHEL 6 running IPA 2.2 or 3.0 (Will be looking to test on both versions) > RHEL 6 and Fedora 18 workstations connected as ipa clients to IPA domain. > > I am using this article in place with my testing environment. > https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ > > What I would like to achieve is: > > Scenario 1: > - From IPA client workstation > remote SSH session authenticates using current TGT from workstation > session. No password or yubikey prompt. This should be completely SSO. > > Scenario 2: > - From Non-IPA client workstation > remote SSH session authenticates via password AND yubikey prompt as no > TGT is available. > > > What I don't know how to achieve is Scenario 2. > > Is this possible? I'm processing it in my mind of pam having a > conditional required option, but I don't know of a way to make it happen. >
>From my past experience it was possible if the pam modules you want to stack support the right PAM flags and conditions. I do not remember the details, it was quite some time ago but I know that something like this can be accomplished if pam_yubikey (I assume something like this exists) and pam_sss are stacked in the right way. > Thanks all > > Dale > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users