On Mon, 11 Aug 2014, Michael Lasevich wrote:
Ok, I am trying to figure out how to use native OTP capabilities in
FreeIPA4 to authenticate users but I am not finding enough docs on how to
USE OTP.
Specifically I would like to force OTP authentication on specific servers
while allowing password auth in other cases. As I understand
authentication, you can either select OTP or password or both
authentications, but if you select both, the user can use password instead
of otp from ANY server.
That is correct.
Is there any way to block password auth based on source (HBAC rules?) So
far the only way I can figure out is to create a second account, which is
less than optimal.
No, this functionality is not supported. One particular issue is that
we'll need to authenticate before applying HBAC rules, not after, so
some other means to validate the request chain are needed.
Additionally, Kerberos authentication requires to enter your credentials
only when obtaining a ticket granting ticket (TGT) which happens before
a client will ask for a ticket to a specific service. Also, renewing the
ticket might be possible without original credentials. Perhaps we could
add a flag into TGT that would tell how strong were credentials (how
many factors were in use) when TGT was obtained and then use it in a
policy to see if a ticket to the target service principal could be
granted.
It worth to file an RFE, anyway.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
