On 07/16/2015 06:58 PM, Bendl, Kurt wrote:
I'm planning our implementation of IdM/IPA, and I'm unclear about how I can
implement IPA's OTP for privileged access.
I need to be able to set up systems so:
* accounts can auth using traditional userid/password
* privileged access (sudo) requires OTP
We've done some testing, injecting a 3rd party OTP solution (PrivacyIDEA) into
the mix. This seems to work. But, if I can make IPA's built-in mojo work, I'd
prefer to keep it all in the family.
FreeIPA OTP cannot be configured at the moment to only require OTP in some
services. We plan this for the future
(https://fedorahosted.org/freeipa/ticket/433), but we are not there yet.
Sudo is different though as it is not a classic Kerberos service per se, this
policy would need to be enforced in sudo (SSSD?) itself. CCing Jakub and
Nathaniel, to see if they know about any hack allowing this.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project