[Freeipa-users] RSA Securid support
I've been doing a bit of reading on integrating securid w/ ipa and am coming up a little short. Up-stream MIT kerberos has some mention of supporting it: http://k5wiki.kerberos.org/wiki/Projects/SecurID_SAM_support But I'm not sure if or how that translates to IPA support. Some clever pam rules could certainly be shoehorned-in as a sort of RSA pre-auth layer before getting into the krb5/sss bits, but that seems hackish at best. There was something on this mailing list talking about AuthHub support, circa 2012, but neither the topic or the AuthHub git repository seem to have been touched since. So, long story short, is this on the roadmap, an existing feature, a hidden feature, or has it been done before? Any insight would be greatly appreciated! I dearly miss my IPA setup from my previous gig, but a hard-n-fast securid requirement makes it difficult to offer up as a solution here without more info on how they can cooperate. Thanks, -- Brian R. Lindblom HPC Systems Administrator National Center for Computational Sciences Oak Ridge National Laboratory ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RSA Securid support
On Thu, 2014-06-05 at 18:13 +, Lindblom, Brian R. wrote: I've been doing a bit of reading on integrating securid w/ ipa and am coming up a little short. Up-stream MIT kerberos has some mention of supporting it: http://k5wiki.kerberos.org/wiki/Projects/SecurID_SAM_support But I'm not sure if or how that translates to IPA support. Some clever pam rules could certainly be shoehorned-in as a sort of RSA pre-auth layer before getting into the krb5/sss bits, but that seems hackish at best. There was something on this mailing list talking about AuthHub support, circa 2012, but neither the topic or the AuthHub git repository seem to have been touched since. So, long story short, is this on the roadmap, an existing feature, a hidden feature, or has it been done before? Any insight would be greatly appreciated! I dearly miss my IPA setup from my previous gig, but a hard-n-fast securid requirement makes it difficult to offer up as a solution here without more info on how they can cooperate. IPA 4.0 will come out with integrated OTP support. To use an external provider you will need to configure a radius server to which PIN+Code will be sent for verification. This is the project page: http://www.freeipa.org/page/V3/OTP Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RSA Securid support
That's fantastic. Thanks for the link. Thanks, -Brian On Thu, 2014-06-05 at 14:30 -0400, Simo Sorce wrote: On Thu, 2014-06-05 at 18:13 +, Lindblom, Brian R. wrote: I've been doing a bit of reading on integrating securid w/ ipa and am coming up a little short. Up-stream MIT kerberos has some mention of supporting it: http://k5wiki.kerberos.org/wiki/Projects/SecurID_SAM_support But I'm not sure if or how that translates to IPA support. Some clever pam rules could certainly be shoehorned-in as a sort of RSA pre-auth layer before getting into the krb5/sss bits, but that seems hackish at best. There was something on this mailing list talking about AuthHub support, circa 2012, but neither the topic or the AuthHub git repository seem to have been touched since. So, long story short, is this on the roadmap, an existing feature, a hidden feature, or has it been done before? Any insight would be greatly appreciated! I dearly miss my IPA setup from my previous gig, but a hard-n-fast securid requirement makes it difficult to offer up as a solution here without more info on how they can cooperate. IPA 4.0 will come out with integrated OTP support. To use an external provider you will need to configure a radius server to which PIN+Code will be sent for verification. This is the project page: http://www.freeipa.org/page/V3/OTP Simo. -- Brian R. Lindblom HPC Systems Administrator National Center for Computational Sciences Oak Ridge National Laboratory ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RSA Securid support
On 06/05/2014 02:42 PM, Lindblom, Brian R. wrote: That's fantastic. Thanks for the link. Here is a video: https://drive.google.com/#folders/0B3tfpNCVjJdCWFQxUk9NdkpHN2c If instead of using an IPA managed token you configure RADIUS proxy to your RSA Authentication Manager you would be able to accomplish a similar result as in the video. Do not forget configure the IPA server client in RSA Authentication Manager as a single transaction server to avoid new pin and next token code mode hurdles. We would appreciate a HowTo page if you make it work. http://www.freeipa.org/page/HowTos Thanks, -Brian On Thu, 2014-06-05 at 14:30 -0400, Simo Sorce wrote: On Thu, 2014-06-05 at 18:13 +, Lindblom, Brian R. wrote: I've been doing a bit of reading on integrating securid w/ ipa and am coming up a little short. Up-stream MIT kerberos has some mention of supporting it: http://k5wiki.kerberos.org/wiki/Projects/SecurID_SAM_support But I'm not sure if or how that translates to IPA support. Some clever pam rules could certainly be shoehorned-in as a sort of RSA pre-auth layer before getting into the krb5/sss bits, but that seems hackish at best. There was something on this mailing list talking about AuthHub support, circa 2012, but neither the topic or the AuthHub git repository seem to have been touched since. So, long story short, is this on the roadmap, an existing feature, a hidden feature, or has it been done before? Any insight would be greatly appreciated! I dearly miss my IPA setup from my previous gig, but a hard-n-fast securid requirement makes it difficult to offer up as a solution here without more info on how they can cooperate. IPA 4.0 will come out with integrated OTP support. To use an external provider you will need to configure a radius server to which PIN+Code will be sent for verification. This is the project page: http://www.freeipa.org/page/V3/OTP Simo. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users