HI Simo, Thanks for the reply. Could you please elaborate or point me to some documentation on how to set this up.
What I want to be able to achieve is that a user should login with a 2FA once a day and all subsequent logins are allowed thru public key only. Regards. --Prashant On 30 June 2015 at 15:44, Simo Sorce <[email protected]> wrote: > On Tue, 2015-06-30 at 10:06 +0200, Sumit Bose wrote: > > On Tue, Jun 30, 2015 at 09:31:55AM +0200, Jakub Hrozek wrote: > > > On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote: > > > > On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: > > > > > On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: > > > > > > Hi, > > > > > > > > > > > > I was able to set this up in a Fedora instance with SSSD and it > works as > > > > > > expected. SSHD first uses the public key and then prompts for > password > > > > > > which is ofcourse password+OTP. > > > > > > > > > > > > However, having a user enter the password+OTP every time he logs > in during > > > > > > the day is kind of inconvenient. Is it possible to make sure the > user has > > > > > > to login once and the credentials are cached for say 12/24 > hours. I know > > > > > > this is possible just using the password. Question is, is this > possible > > > > > > using password+OTP? > > > > > > > > > > We have an SSSD feature under review now that would help you: > > > > > https://fedorahosted.org/sssd/ticket/1807 > > > > > > > > > > But to be honest, I'm not sure if we tested the patches with 2FA > yet. We > > > > > should! > > > > > > > > hm, I agree we should, but I guess we should test that cached > > > > authentication does _not_ work with 2FA/OTP. Because it is expected > that > > > > the OTP token only works once, so that e.g. it can be used in an > > > > insecure environment to set up a secure tunnel. > > > > > > Sure, the second factor must not be reused :-) but couldn't we use the > > > cached auth to support cases like this where the second factor is to be > > > used only once per some time and use only the first factor in the > > > meantime? > > > > I'm a bit reluctant here. If the two factors are intercepted in an > > insecure environment the attacker will still have a valid password which > > can be used for some time. Additionally, iirc cached authentication is > > not aware of the service used. If e.g. OTP was used to just get a > > response from some unprotected and unprivileged service the intercepted > > password can be used to log in with ssh as well. So I guess we need a > > careful discussion here. > > The solution for this environments already exists and it is called > GSSAPI. You can obtain a ticket with 2FA and then use your TGT for 10 or > more hours. There is no need to invent broken ways to skip two factor > auth when we already have a way to make this easy *and* secure. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
