Hi all, the default User authentication methos that we use is only: "Two factor authentication (password + OTP)" Threfore the users can access to host or service (LDAP) by OTP. We are looking for a way to disable OTP on a specific host or for ldap queries.
Can you help me?
Thanks ——————————————————————————————————————— Giuseppe Calò
Fondazione CMCC Centro Euro-Mediterraneo sui Cambiamenti Climatici presso Complesso Ecotekne Università del Salento - Strada Prov.le Lecce - Monteroni 73100 Lecce IT http://www.cmcc.it https://goo.gl/maps/wtahPDbNVen
mobile: (+39) 3208190020 email: giuseppe.calo@cmcc.it
Le informazioni contenute in questo messaggio di posta elettronica e negli allegati se presenti sono riservate e confidenziali: ne è vietata la diffusione in qualsiasi modo o forma (GDPR 2016/679). Qualora lei non fosse il destinatario del messaggio, la invito a non diffonderlo e ad eliminarlo dandone gentilmente comunicazione al mittente.
The information included in this e-mail and any attachments are confidential and may also be privileged (GDPR 2016/679). If you are not the correct recipient, you are kindly requested to notify the sender immediately, to cancel it and not disclose the contents to any other person.
On 28/02/2024 11:31, Giuseppe Calò via FreeIPA-users wrote:
Hi all, the default User authentication methos that we use is only: "Two factor authentication (password + OTP)" Threfore the users can access to host or service (LDAP) by OTP. We are looking for a way to disable OTP on a specific host or for ldap queries.
The user authentication methods determine what is required for the user to initially log in. If you enable both 'password' ("Password" in the web UI) and 'otp' ("Password + OTP" in the web UI) then the user will be able to authenticate using EITHER their password alone, OR both their password & OTP.
The user's ticket-granting-ticket will have recorded on it an 'authentication indicator', which tells the IPA server which method was used during that initial authentication process.
Separately, a host or service in the directory has an 'authentication indicators' setting. If set, the FreeIPA server will only issue a user with a service ticket for the service if the user's ticket-granting-ticket has the same authentication indicator on it.
For example, let's create a service 'HTTP/secure.example.com' and set its 'authentication indicators' to 'otp'.
When a user logs in with their password alone, their ticket-granting-ticket will have no authentication indicators recorded on it. When the user requests a ticket for HTTP/secure.example.com, the FreeIPA server will refuse to issue the ticket.
But if the user logged in with their password + OTP, their ticket-granting-ticket will have the 'otp' indicator on it. When the user requests a service ticket for HTTP/secure.example.com, the FreeIPA server will see that their ticket-granting-ticket has a matching authentication indicator and issue the ticket.
Now to try to implement your requirements in terms of how FreeIPA works. I think you will need to go through all your hosts and services where you require the user to have authenticated using two factors, and set the 'otp' indicator on them. For the hosts/services where you are OK with a single factor being used, you can set _no_ indicators on them.
See the docs for more info: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/managing-kerberos-ticket-policies_managing-users-groups-hosts#doc-wrapper
There's one really important thing to be aware of. You can't set authentication indicators on your FreeIPA servers' own hosts or services running on them. (In older FreeIPA versions this was possible but it would break everything; newer versions explicitly throw an error if you try to do so).
Because of this, it will always be possible for your users to query the directory and make calls to the FreeIPA API even when they have only authenticated with their password. So if you set the default policy for users to allow authentication with both 'password' and 'otp' then you should probably explicitly configure your admin users so that they only have the 'otp' authentication method available & therefore cannot authenticate with password alone.
(I've been meaning to write an RFE to enforce some or all of the above automatically for a while but never got around to it...)
Another approach is possible, where you don't configure the authentication indicator requirement on the host/service objects within the directory; instead, the hosts/services are themselves responsible for examining the authentication indicators on the tickets that clients present, and enforcing a policy.
For authentication to hosts, this can be done with pam_sss_gss.so. I've not seen it implemented anywhere else, so for cases such as having Apache check the client's ticket for an 'otp' indicator, I don't think that can be done yet.
On 28/02/2024 17:23, Sam Morris via FreeIPA-users wrote:
Another approach is possible, where you don't configure the authentication indicator requirement on the host/service objects within the directory; instead, the hosts/services are themselves responsible for examining the authentication indicators on the tickets that clients present, and enforcing a policy.
For authentication to hosts, this can be done with pam_sss_gss.so. I've not seen it implemented anywhere else, so for cases such as having Apache check the client's ticket for an 'otp' indicator, I don't think that can be done yet.
Correction: mod_auth_gssapi has a GssapiRequiredNameAttributes directive & it looks like this can be used to require particular auth-indicators attributes on clients' service tickets:
https://github.com/gssapi/mod_auth_gssapi?tab=readme-ov-file#gssapirequiredn...
Sam Morris via FreeIPA-users wrote:
On 28/02/2024 17:23, Sam Morris via FreeIPA-users wrote:
Another approach is possible, where you don't configure the authentication indicator requirement on the host/service objects within the directory; instead, the hosts/services are themselves responsible for examining the authentication indicators on the tickets that clients present, and enforcing a policy.
For authentication to hosts, this can be done with pam_sss_gss.so. I've not seen it implemented anywhere else, so for cases such as having Apache check the client's ticket for an 'otp' indicator, I don't think that can be done yet.
Correction: mod_auth_gssapi has a GssapiRequiredNameAttributes directive & it looks like this can be used to require particular auth-indicators attributes on clients' service tickets:
https://github.com/gssapi/mod_auth_gssapi?tab=readme-ov-file#gssapirequiredn...
FYI a related PR https://github.com/freeipa/freeipa/pull/7200
rob
Hi Robert Crittend then if i set EnforceLDAPOTP and users has OTP defined the LDAP BIND will need 2 factor? Where can i set EnforceLDAPOTP ? Please note that I use 4.10.0-7 (not 4.11 as wrote in https://pagure.io/freeipa/issue/5169)
Thanks
Giuseppe Calo via FreeIPA-users wrote:
Hi Robert Crittend then if i set EnforceLDAPOTP and users has OTP defined the LDAP BIND will need 2 factor? Where can i set EnforceLDAPOTP ? Please note that I use 4.10.0-7 (not 4.11 as wrote in https://pagure.io/freeipa/issue/5169)
This is a change proposal. It isn't merged or released yet.
rob
Thanks Sam. I'll explain better my case. - We didn't define default authentication metod for user and for host/service - For all defined users we enabled only OTP metod (we want that all users use 2 factor) - All users have to use OTP to log in each enroled hosts - Our VPN system use LDAP (freeipa server) to authenticate the users (users defined with OTP), then the users need to user passwod+otp to start vpn client --> LDAP client (vpn server) is not enrolled, it is not possible (forcepoint)
My target is: - force the users to use otp to start VPN and to don't use otp (only password) to login all other hosts in virtual private network.
Some ideas?
Thanks
freeipa-users@lists.fedorahosted.org