On Wed, 14 Dec 2016 13:21:50 +0200
Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
I cannot tell of how Fedora Infrastructure would use features
available in FreeIPA, but at least on FreeIPA level we have support
for multi-factor authentication on Kerberos level.
The use of it is a bit less convenient right now for secondary cases
where you are not utilizing your Kerberos infrastructure for a system
logon directly but we are working on improvements to Kerberos initial
ticket exchange that will make it easier. Right now you have to have
an initial ticket created with some other means to provide a secure
channel between the client and the KDC to exchange second factor
information. This *other* initial ticket is typically your machine's
account in case of enrolled computers (like "normal" FreeIPA client)
or an anonymous PKINIT-based authenticated principal. With SPAKE
exchange this will be replaced by a more secure exchange that
requires no additional communication/channels.
It is far away yet, may be Fedora 26/27 time frame, but this gives us
also time to improve other tooling around the user experience -- GNOME
Online accounts and the rest of tools not directly involved into a
system level logon flow.
We definitely plan to enable/use 2fa with Kerberos down the road.
kevin