Hi Jeremy, > Am 22.04.2016 um 22:40 schrieb Jeremy Utley <jer...@ifuzioncorp.com>: > > Hello all! > > I'm quite close to reaching the ideal point with our new FreeIPA setup, but > one thing that is standing in the way is 2FA. I know FreeIPA has support for > Google Auth, FreeOTP, and Yubikey. We'd like to go with Yubikeys over the > phone-based systems, but a lot of the docs regarding Yubikey seem to either > be out-dated, or not real clear (at least to me). So I'd like to ask a few > questions to make sure I'm understanding correctly. > > 1) It looks like the normal setup of a Yubikey is to plug it into a machine > and run the "ipa otptoken-add-yubikey" command. This implies that the > machine that sets up the Yubikey needs to be part of the FreeIPA domain, > which presents somewhat of a problem for us, as our current IPA setup has no > desktops, and is in a remote "lights-out" datacenter an hour's drive from our > office. I did see a post recently in the archives of someone figuring out > how to set up a Yubikey via the web interface > (https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.html) - > would this be viable?
Sure, but you shouldn’t use online base32 converters for that. You can use the yubikey personalization tools and the webinterface/API to enroll yubikeys manually. > > 2) Does the otptoken-add-yubikey command actually change the programming of > the Yubikey, or does it simply read it's configuration? We have some users > who are already using a Yubikey for personal stuff, and we'd like to allow > those users to continue to use their existing Yubikey to auth to our IPA > domain, but if the add command changes the programming of the key, that may > not be possible without using the second slot, and if users are already using > the second slot, they are out of luck. HOTP/TOTP depend on a shared secret between the token and FreeIPA. This needs to be stored in one of the two slots of the yubikey. > 3) Does Yubikey auth require talking to the outside world to function? Our > IPA setup is within a secure zone, with no direct connectivity to the outside > world, so if this is necessary, it would be a possible deal-breaker for these. No, this would only be needed if you would use the factory programmed yubico key in slot 1, which is not supported by FreeIPA anyway. David
Description: Message signed with OpenPGP using GPGMail
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project