Hi, I'm running my own privacyidea instance to manage my Yubikey and other OTP tokens. Right now I have to decide, in which system my Yubikey is managed - right now it is in privacyidea. My token is in yubico mode, so no HOTP/TOTP for now.
For now I run a FreeRADIUS as a frontend to privacyidea and use that in FreeIPA to authenticate my user, but I think it is too complex and fragile for my small installation. And FreeIPA is dependent on an external userstore (for me Kolab's dirsrv right now) as well. What I'd find useful is something like the following: - A yubikey token generates a 44 character OTP, the first 12 characters identify the token. This could be a factory initialized token or a locally initialized one. - A user has a yubikey token assigned (the 12 characters identifier) and a validation server that will check the OTP. Default servers could be yubico's validation servers (https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s) while it should be possible to use a self hosted infrastructure with yubico's software or something like privacyidea or linotp (somewhat similar to the RADIUS configuration) The validation protokoll is explained at https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html and is quite simple. Authentication option for the user would be password+OTP. - When logging in the user is first asked for the first factor (password), and then the second factor (OTP). ipa-otp would hand off the validation to the external server and act according to the response. That way a yubikey token you be used for other applications (like Kolab/Roundcube, pam_yubico etc.) as well as for FreeIPA, because the secret and counter are stored in one central system that is queried by all applications. Something like that would possibly require changes to the LDAP schema[1] in addition to changes to ipa-otp, ipa, and the webui. Do you think something like that would be useful? Jochen [1] Kolab documents this at https://git.kolab.org/T414: The Roundcube plugin is basically functional to run locally as of commit rRPK9cd117d7. There's some documentation about the kolab_2fa plugin, its components, installation and configuration in the README.md. Please note that the Yubikey driver doesn't work with the LDAP storage due to missing coverage in the FreeIPA schema. -- The only problem with troubleshooting is that the trouble shoots back. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project