Hi all, I do acknowledge that this topic has been discussed in various threads, but I am struggling to get it working and to understand the concepts. My use cases are to use OTP 2FA with for example Google Authenticator as additional security measure for 1. access to the freeipa server itself for selected users (typically admins) 2. access to selected linux servers enrolled in FreeIPA . All users with any access to these ,should always use OTP on these servers. No requirement for OTP for access to other servers. 3. access to applications using LDAP integrations to FreeIPA
The first use case works right out of the box. I have managed to configure individual users for OTP in the User Auth settings, assign tokens and get it working using Google Authenticated.
I am struggling with the second use case for server access. Instead of diving into all the detailed configs and logs and to understand why it is not working I would rather start with how it is supposed to work at the high level, to ensure I have gotten the basics correct first.
Is the use case supported at all? How should I configure the selected users FreeIPA ? How should I configure the selected hosts in FreeIPA ? How should I configure on the selected hosts, i.e with respect to SSSD, PAM etc.
regards, Ole
On 25/08/2023 14.20, Ole Froslie via FreeIPA-users wrote:
Hi all, I do acknowledge that this topic has been discussed in various threads, but I am struggling to get it working and to understand the concepts. My use cases are to use OTP 2FA with for example Google Authenticator as additional security measure for
- access to the freeipa server itself for selected users (typically admins)
- access to selected linux servers enrolled in FreeIPA . All users with any access to these ,should always use OTP on these servers. No requirement for OTP for access to other servers.
- access to applications using LDAP integrations to FreeIPA
The first use case works right out of the box. I have managed to configure individual users for OTP in the User Auth settings, assign tokens and get it working using Google Authenticated.
I am struggling with the second use case for server access. Instead of diving into all the detailed configs and logs and to understand why it is not working I would rather start with how it is supposed to work at the high level, to ensure I have gotten the basics correct first.
Is the use case supported at all? How should I configure the selected users FreeIPA ? How should I configure the selected hosts in FreeIPA ? How should I configure on the selected hosts, i.e with respect to SSSD, PAM etc.
You are looking for a feature called "Kerberos authentication indicators". FreeIPA's Kerberos KDC annotates Kerberos tickets with auth indicators, e.g. user with 2FA login have an "otp" indicator in their TGT.
A host or service can require authentication indicators in two different ways:
1. The KDC can require and enforce authentication indicators when a user requests a ticket for a host or service principal. 2. SSSD can require authentication indicators for a PAM service (e.g. sudo requires 2FA).
These documents explain the feature in more details:
- https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.... - https://www.freeipa.org/page/V4/Authentication_Indicators - https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/htm...
thanks for pointing me in the right direction, It works as expected now.
regards, Ole
On 29/08/2023 09.52, Ole Froslie via FreeIPA-users wrote:
thanks for pointing me in the right direction, It works as expected now.
You are welcome!
For LDAP integration, I'm working on a new howto. The document in an early draft stage and I haven't checked it for typos and bugs. You may still find it useful:
https://github.com/tiran/freeipa.github.io/blob/ldap-users/src/page/HowTo/LD...
freeipa-users@lists.fedorahosted.org