On 04/22/2016 10:40 PM, Jeremy Utley wrote:
> Hello all!
> 
> I'm quite close to reaching the ideal point with our new FreeIPA setup, but 
> one 
> thing that is standing in the way is 2FA.  I know FreeIPA has support for 
> Google 
> Auth, FreeOTP, and Yubikey.  We'd like to go with Yubikeys over the 
> phone-based 
> systems, but a lot of the docs regarding Yubikey seem to either be out-dated, 
> or 
> not real clear (at least to me).  So I'd like to ask a few questions to make 
> sure I'm understanding correctly.
> 
> 1) It looks like the normal setup of a Yubikey is to plug it into a machine 
> and 
> run the "ipa otptoken-add-yubikey" command.  This implies that the machine 
> that 
> sets up the Yubikey needs to be part of the FreeIPA domain, which presents 
> somewhat of a problem for us, as our current IPA setup has no desktops, and 
> is 
> in a remote "lights-out" datacenter an hour's drive from our office.  I did 
> see 
> a post recently in the archives of someone figuring out how to set up a 
> Yubikey 
> via the web interface 
> (https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.html) - 
> would 
> this be viable?

Interesting question/suggestion, CCing Nathaniel on this one, he authored the
feature.

> 2) Does the otptoken-add-yubikey command actually change the programming of 
> the 
> Yubikey, or does it simply read it's configuration?  We have some users who 
> are 
> already using a Yubikey for personal stuff, and we'd like to allow those 
> users 
> to continue to use their existing Yubikey to auth to our IPA domain, but if 
> the 
> add command changes the programming of the key, that may not be possible 
> without 
> using the second slot, and if users are already using the second slot, they 
> are 
> out of luck.
> 
> 3) Does Yubikey auth require talking to the outside world to function?  Our 
> IPA 
> setup is within a secure zone, with no direct connectivity to the outside 
> world, 
> so if this is necessary, it would be a possible deal-breaker for these.

None of the FreeIPA setup should require communication with the outside world,
maybe except some of the current DNS checks during validation. If it does, it
sounds as a bug to me, as I know about multiple deployments of FreeIPA in such
environments.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to