My thought is that while 2 and 3 are same from IPA point of view, since I
am guaranteed to be sending a different credentials in those cases I am
guaranteed to be checking both password and otp. Prevents a case where
user's password ends in a string of digits similar to OTP.

I will look into checking the tokens for changes, but that seems a bit more
complicated and error-prone.


On Mon, Aug 11, 2014 at 1:04 PM, Alexander Bokovoy <>

> On Mon, 11 Aug 2014, Michael Lasevich wrote:
>> On Mon, Aug 11, 2014 at 12:30 PM, Alexander Bokovoy <>
>> wrote:
>>  On Mon, 11 Aug 2014, Michael Lasevich wrote:
>>>  So, it is NOT intended to use for border-style 2FA authentication (i.e.
>>>> VPN) - which seems may be a common use case for 2FA?
>>>>  You can always supplement authentication check with some host-specific
>>> information at the VPN concentrator. We don't have ready to use solution
>>> here but it is definitely possible to use such scheme against FreeIPA
>>> 2FA.
>>>  Sorry, I am not following.  What do you mean by "host-specific
>> information"? If system has no way to detect how many factors were
>> involved
>> in authentication, how would I be able to guarantee that only 2FA is
>> allowed via this box?
>> I suppose this can work: I can write code that will:
>> 1 - detects if there are OTP numbers at the end of the password
>> 2 - authenticates using full 2FA
>> 3 - authenticates using just password without 2FA
>> And then authenticate only if all 3 conditions are satisfied. Seems a bit
>> hacky, but that is the only way I can think that may work.
> 2 and 3 are the same from IPA point of view, just an LDAP bind. Ideally
> SSSD could handle this as part of a PAM stack by providing PAM
> feedback that could be used by other modules. There was no request for
> this functionality before.
> However, I was mostly thinking that you may have an authentication
> sequence where past successful auth you would check tokens associated
> with the user to see if there is a recent update within the same time
> period on one of tokens. This would work right now, though it is a bit a
> hack -- a better one than the 2-accounts-per-user.
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to