I'm quite close to reaching the ideal point with our new FreeIPA setup, but
one thing that is standing in the way is 2FA. I know FreeIPA has support
for Google Auth, FreeOTP, and Yubikey. We'd like to go with Yubikeys over
the phone-based systems, but a lot of the docs regarding Yubikey seem to
either be out-dated, or not real clear (at least to me). So I'd like to
ask a few questions to make sure I'm understanding correctly.
1) It looks like the normal setup of a Yubikey is to plug it into a machine
and run the "ipa otptoken-add-yubikey" command. This implies that the
machine that sets up the Yubikey needs to be part of the FreeIPA domain,
which presents somewhat of a problem for us, as our current IPA setup has
no desktops, and is in a remote "lights-out" datacenter an hour's drive
from our office. I did see a post recently in the archives of someone
figuring out how to set up a Yubikey via the web interface (
would this be viable?
2) Does the otptoken-add-yubikey command actually change the programming of
the Yubikey, or does it simply read it's configuration? We have some users
who are already using a Yubikey for personal stuff, and we'd like to allow
those users to continue to use their existing Yubikey to auth to our IPA
domain, but if the add command changes the programming of the key, that may
not be possible without using the second slot, and if users are already
using the second slot, they are out of luck.
3) Does Yubikey auth require talking to the outside world to function? Our
IPA setup is within a secure zone, with no direct connectivity to the
outside world, so if this is necessary, it would be a possible deal-breaker
Thanks for your time in answering these questions!
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project