On Sun, 06 Apr 2014, Nathan Broadbent wrote:
Hello,
I'm running FreeIPA version 3.3.4. I've done a little research, and it
seems like this version is missing support for OTP, but I could have sworn
that I found a page that said that OTP was finished and ready to use. And
in the server installation logs, I found some references to 'ipa-otpd'.
OTP support is part of FreeIPA 4.0 release plan. What was released prior
to that represents different components of the solution but not the full
solution
(yet). Full OTP functionality requires changes on both server and client
side. For example, password changes and token synchronization are two elements
which are tightly coupled client/server-side, though we have few more
specific examples.
I also remember reading about an otp plugin for FreeIPA, but it doesn't
seem to be installed on my server.
Our case is that we want to require OTP codes for SSH authentication. Even
for public key authentication, we would like to add a ForceCommand
directive to ssh config that would require the OTP code. It would be
awesome if that could be configured on a per-server basis in FreeIPA.
Is OTP production ready? I found the 'Red Hat Test Day' page where people
were testing OTP. If 3.3.4 doesn't support OTP, I'm happy to compile from
source. Where can I find the source / branch with the most current OTP
features? Will it be included in 4.0.0? Or should I checkout the 'otpui'
[1] branch on GitHub?
OTP support is not yet production ready, at least not labeled so in any
released FreeIPA version, we plan it for 4.0.
Following URL gives you an overview of what is still needs to be
finished:
https://fedorahosted.org/freeipa/query?component=OTP&status=!closed
You can try experimenting with the COPR repo I've made for testing OTP
functionality:
http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/
It requires Fedora 20 with all updates (including updates-testing repo)
installed prior to use. We are also still tuning SELinux policy so for
some cases there might be an occasional AVC even with fully updated
system. These need to be reported to bugzilla.redhat.com.
At this moment Fedora 20 is the only platform one can target as an
experimental FreeIPA server with OTP functionality enabled.
Very keen to start using the feature, and I'd be happy to help report and
fix any bugs. But at the same time, I don't want to compromise our security
if this feature hasn't been properly audited, so advice would be
appreciated.
As I said, this feature is under development. Some bugs may still lurk
in the code but wider testing should help in clearing them up, so any
effort in testing is definitely welcome!
--
/ Alexander Bokovoy
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
