> On May 18, 2015, at 09:47, Nathaniel McCallum <npmccal...@redhat.com> wrote:
>> On Mon, 2015-05-18 at 09:45 -0500, Janelle wrote:
>> Ok, let me ask this a different way, because maybe there is a way, 
>> and I am just not seeing it.
>> I have 2 datacenters with typical bastions in each. I have enabled 
>> OTP and that works fine via ssh. But the user has to login to both 
>> and opening ssh tunnels is problematic at best.
>> Using all the creativity in this list, maybe someone knows of another 
>> way to have a user authenticate from a Mac where they would only have 
>> to do it once to get their ticket?
>> I guess I can't think of anything, but no harm in asking.
> Without support for the OTP pre-authentication mechanism, I don't know
> of any way to do this while still retaining the security properties of
> Kerberos. Basically, you'll have to hand over your password to a third
> party (which has OTP support). This is ill advised.
> Nathaniel

Excellent point.  Thanks for all the tips and advice. 
And of course for a great product that continues to get better.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to