Thanks for quick response, further questions inline.

On Mon, Aug 11, 2014 at 11:49 AM, Alexander Bokovoy <>

> On Mon, 11 Aug 2014, Michael Lasevich wrote:
>> Ok, I am trying to figure out how to use native OTP capabilities in
>> FreeIPA4 to authenticate users but I am not finding enough docs on how to
>> Specifically I would like to force OTP authentication on specific servers
>> while allowing password auth in other cases. As I understand
>> authentication, you can either select OTP or password or both
>> authentications, but if you select both, the user can use password instead
>> of otp from ANY server.
> That is correct.
So, it is NOT intended to use for border-style 2FA authentication (i.e.
VPN) - which seems may be a common use case for 2FA?

>  Is there any way to block password auth based on source (HBAC rules?) So
>> far the only way I can figure out is to create a second account, which is
>> less than optimal.
> No, this functionality is not supported. One particular issue is that
> we'll need to authenticate before applying HBAC rules, not after, so
> some other means to validate the request chain are needed.

> Additionally, Kerberos authentication requires to enter your credentials
> only when obtaining a ticket granting ticket (TGT) which happens before
> a client will ask for a ticket to a specific service. Also, renewing the
> ticket might be possible without original credentials. Perhaps we could
> add a flag into TGT that would tell how strong were credentials (how
> many factors were in use) when TGT was obtained and then use it in a
> policy to see if a ticket to the target service principal could be
> granted.
I think I understand -  HBAC has no way to know how you authenticated - so
you cannot make rules based on that?

Is there a way to test OTP token auth while bypassing kerberos? For
example, you can validate user's password via a LDAP login, - can you do a
similar validation of OTP token directly?


Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to