Re: [Freeipa-users] OTP authentication without Password

[Jochen Hein]

"Master P."  writes:

> Is it possible to authenticate a user with only OTP and ssh-pubkeys?

Yes, but you need some tool managing OTP without password/PIN, which
FreeIPA doesn't seem to support.  I use privacyidea to manage my OTP
tokens and have a working configuration.

> So far I have successfully configured FreeIPA to use Two factor
> authentication (password + OTP).  I had to change the sshd_config to
> achieve this by modifying the AuthenticationMethods to be:
>
> AuthenticationMethods publickey,password:pam
> publickey,keyboard-interactive-pam

I do use:

Match Group otpusers
AuthenticationMethods publickey,keyboard-interactive:pam gssapi-with-mic

When authenticating with ssh key, also require PAM. Having a kerberos
ticket grants access.

My PAM configuration is:

# If the user is in group otpusers, we use the next rule, otherwise we skip
# the call to pam_yubico.
auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup otpusers
auth sufficient pam_yubico.so id= key= 
urllist=https://privacyidea.jochen.org/ttype/yubikey 
authfile=/etc/yubikeys/authorized_yubikeys

I use Yubikeys in mode YUBICO, but my own privacyidea authentication
server. It should be also possible to use privacyidea as a backend
behind a RADIUS server for FreeIPA (I do use it for OpenVPN, but not
FreeIPA).

If find it more flexible to hand off OTP to a special tool like
privacyidea oder linotp - a token on FreeIPA, Kolab, or another
application is only a single purpose token.

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] OTP authentication without Password

[Master P.]

Hello,

Is it possible to authenticate a user with only OTP and ssh-pubkeys?

So far I have successfully configured FreeIPA to use Two factor
authentication (password + OTP).  I had to change the sshd_config to
achieve this by modifying the AuthenticationMethods to be:

AuthenticationMethods publickey,password:pam
publickey,keyboard-interactive-pam

In this way the user's ssh-pubkey, password, and OTP are required to
login.  I would like to remove the password requirement but retain the OTP
auth.

>From the FreeIPA web UI there is no setting to only enable OTP without a
password.  Is there a way to change the sshd_config AuthenticationMethods
to only allow OTP + ssh-pubkey.  Does this instead require a change to one
of the pam files?

Thanks,

Alex
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project