On 08/11/2014 08:49 PM, Alexander Bokovoy wrote:
On Mon, 11 Aug 2014, Michael Lasevich wrote:
Ok, I am trying to figure out how to use native OTP capabilities in
FreeIPA4 to authenticate users but I am not finding enough docs on how to

Specifically I would like to force OTP authentication on specific servers
while allowing password auth in other cases. As I understand
authentication, you can either select OTP or password or both
authentications, but if you select both, the user can use password instead
of otp from ANY server.
That is correct.

Is there any way to block password auth based on source (HBAC rules?) So
far the only way I can figure out is to create a second account, which is
less than optimal.
No, this functionality is not supported. One particular issue is that
we'll need to authenticate before applying HBAC rules, not after, so
some other means to validate the request chain are needed.

Additionally, Kerberos authentication requires to enter your credentials
only when obtaining a ticket granting ticket (TGT) which happens before
a client will ask for a ticket to a specific service. Also, renewing the
ticket might be possible without original credentials. Perhaps we could
add a flag into TGT that would tell how strong were credentials (how
many factors were in use) when TGT was obtained and then use it in a
policy to see if a ticket to the target service principal could be

It worth to file an RFE, anyway.

We already have these RFEs and they are in plans.
They have not been implemented because it required a lot of the upstream Kerberos standards work.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to