On 12/11/2014 06:32 PM, free...@pettyvices.com wrote:


I'd like to be able to require 2FA on *certain* hosts and allow just passwords on others.

It seems you can check both "passwords" and "2FA" under the user.

I was hoping I could create a HBAC such that certain hosts would only allow 2FA, but I can't see an obvious way to do that.

Is it possible?  Help on how would be great.  If not, feature request?

thanks,

-t

We have several tickets:

https://fedorahosted.org/freeipa/ticket/433

https://fedorahosted.org/freeipa/ticket/3659

https://fedorahosted.org/freeipa/ticket/4498

If you see https://fedorahosted.org/freeipa/ticket/4498#comment:6 we discussed this use case. And I was about to fork it as said but then I realized that there is not good way on the KDC to determine the host you are coming from.
So IMO it should be a policy decision on SSSD.
There are two options:
- short term solution: allow SSSD to have a local overwrite to require OTP if server offers different options. - longer term solution: actually have a per host policy that is centrally managed that is fetched per host and enforced by SSSD.

Before filing tickets I would like to hear opinions on the matter.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to