On 28/02/2024 11:31, Giuseppe Calò via FreeIPA-users wrote:

Hi all, the default User authentication methos that we use is only: "Two factor authentication (password + OTP)" Threfore the users can access to host or service (LDAP) by OTP. We are looking for a way to disable OTP on a specific host or for ldap queries.

The user authentication methods determine what is required for the user to initially log in. If you enable both 'password' ("Password" in the web UI) and 'otp' ("Password + OTP" in the web UI) then the user will be able to authenticate using EITHER their password alone, OR both their password & OTP.

The user's ticket-granting-ticket will have recorded on it an 'authentication indicator', which tells the IPA server which method was used during that initial authentication process.

Separately, a host or service in the directory has an 'authentication indicators' setting. If set, the FreeIPA server will only issue a user with a service ticket for the service if the user's ticket-granting-ticket has the same authentication indicator on it.

For example, let's create a service 'HTTP/secure.example.com' and set its 'authentication indicators' to 'otp'.

When a user logs in with their password alone, their ticket-granting-ticket will have no authentication indicators recorded on it. When the user requests a ticket for HTTP/secure.example.com, the FreeIPA server will refuse to issue the ticket.

But if the user logged in with their password + OTP, their ticket-granting-ticket will have the 'otp' indicator on it. When the user requests a service ticket for HTTP/secure.example.com, the FreeIPA server will see that their ticket-granting-ticket has a matching authentication indicator and issue the ticket.

Now to try to implement your requirements in terms of how FreeIPA works. I think you will need to go through all your hosts and services where you require the user to have authenticated using two factors, and set the 'otp' indicator on them. For the hosts/services where you are OK with a single factor being used, you can set _no_ indicators on them.

See the docs for more info: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/managing-kerberos-ticket-policies_managing-users-groups-hosts#doc-wrapper

There's one really important thing to be aware of. You can't set authentication indicators on your FreeIPA servers' own hosts or services running on them. (In older FreeIPA versions this was possible but it would break everything; newer versions explicitly throw an error if you try to do so).

Because of this, it will always be possible for your users to query the directory and make calls to the FreeIPA API even when they have only authenticated with their password. So if you set the default policy for users to allow authentication with both 'password' and 'otp' then you should probably explicitly configure your admin users so that they only have the 'otp' authentication method available & therefore cannot authenticate with password alone.

(I've been meaning to write an RFE to enforce some or all of the above automatically for a while but never got around to it...)

Another approach is possible, where you don't configure the authentication indicator requirement on the host/service objects within the directory; instead, the hosts/services are themselves responsible for examining the authentication indicators on the tickets that clients present, and enforcing a policy.

For authentication to hosts, this can be done with pam_sss_gss.so. I've not seen it implemented anywhere else, so for cases such as having Apache check the client's ticket for an 'otp' indicator, I don't think that can be done yet.