Hi Jeremy,

> Am 22.04.2016 um 22:40 schrieb Jeremy Utley <jer...@ifuzioncorp.com>:
> Hello all!
> I'm quite close to reaching the ideal point with our new FreeIPA setup, but 
> one thing that is standing in the way is 2FA.  I know FreeIPA has support for 
> Google Auth, FreeOTP, and Yubikey.  We'd like to go with Yubikeys over the 
> phone-based systems, but a lot of the docs regarding Yubikey seem to either 
> be out-dated, or not real clear (at least to me).  So I'd like to ask a few 
> questions to make sure I'm understanding correctly.
> 1) It looks like the normal setup of a Yubikey is to plug it into a machine 
> and run the "ipa otptoken-add-yubikey" command.  This implies that the 
> machine that sets up the Yubikey needs to be part of the FreeIPA domain, 
> which presents somewhat of a problem for us, as our current IPA setup has no 
> desktops, and is in a remote "lights-out" datacenter an hour's drive from our 
> office.  I did see a post recently in the archives of someone figuring out 
> how to set up a Yubikey via the web interface 
> (https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.html) - 
> would this be viable?

Sure, but you shouldn’t use online base32 converters for that. You can use the 
yubikey personalization tools and the webinterface/API to enroll yubikeys 

> 2) Does the otptoken-add-yubikey command actually change the programming of 
> the Yubikey, or does it simply read it's configuration?  We have some users 
> who are already using a Yubikey for personal stuff, and we'd like to allow 
> those users to continue to use their existing Yubikey to auth to our IPA 
> domain, but if the add command changes the programming of the key, that may 
> not be possible without using the second slot, and if users are already using 
> the second slot, they are out of luck.

HOTP/TOTP depend on a shared secret between the token and FreeIPA. This needs 
to be stored in one of the two slots of the yubikey.

> 3) Does Yubikey auth require talking to the outside world to function?  Our 
> IPA setup is within a secure zone, with no direct connectivity to the outside 
> world, so if this is necessary, it would be a possible deal-breaker for these.

No, this would only be needed if you would use the factory programmed yubico 
key in slot 1, which is not supported by FreeIPA anyway.


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to