On 08/11/2014 08:49 PM, Alexander Bokovoy wrote:
On Mon, 11 Aug 2014, Michael Lasevich wrote:
Ok, I am trying to figure out how to use native OTP capabilities in
FreeIPA4 to authenticate users but I am not finding enough docs on
Specifically I would like to force OTP authentication on specific
while allowing password auth in other cases. As I understand
authentication, you can either select OTP or password or both
authentications, but if you select both, the user can use password
of otp from ANY server.
That is correct.
Is there any way to block password auth based on source (HBAC rules?) So
far the only way I can figure out is to create a second account,
less than optimal.
No, this functionality is not supported. One particular issue is that
we'll need to authenticate before applying HBAC rules, not after, so
some other means to validate the request chain are needed.
Additionally, Kerberos authentication requires to enter your credentials
only when obtaining a ticket granting ticket (TGT) which happens before
a client will ask for a ticket to a specific service. Also, renewing the
ticket might be possible without original credentials. Perhaps we could
add a flag into TGT that would tell how strong were credentials (how
many factors were in use) when TGT was obtained and then use it in a
policy to see if a ticket to the target service principal could be
It worth to file an RFE, anyway.
We already have these RFEs and they are in plans.
They have not been implemented because it required a lot of the upstream
Kerberos standards work.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project