On 01/12/2013 07:17 PM, Dale Macartney wrote:
> Evening all
> So, basis of my testing environment is as follows
> RHEL 6 running IPA 2.2 or 3.0 (Will be looking to test on both versions)
> RHEL 6 and Fedora 18 workstations connected as ipa clients to IPA domain.
> I am using this article in place with my testing environment.
> What I would like to achieve is:
> Scenario 1:
> - From IPA client workstation
> remote SSH session authenticates using current TGT from workstation
> session. No password or yubikey prompt. This should be completely SSO.
> Scenario 2:
> - From Non-IPA client workstation
> remote SSH session authenticates via password AND yubikey prompt as no
> TGT is available.
> What I don't know how to achieve is Scenario 2.
> Is this possible? I'm processing it in my mind of pam having a
> conditional required option, but I don't know of a way to make it happen.
>From my past experience it was possible if the pam modules you want to
stack support the right PAM flags and conditions. I do not remember the
details, it was quite some time ago but I know that something like this
can be accomplished if pam_yubikey (I assume something like this exists)
and pam_sss are stacked in the right way.
> Thanks all
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list