Community question, as I am trying to think of solutions and can use
some advice.
On 19/03/2019 19:16, Jelle de Jong wrote:
On 18/03/2019 20:44, Jakub Hrozek wrote:
> On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:
>> On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
>>> Hello everybody,
>>>
>>> I am looking for a way to have different authentication policy for a
>>> freeia-client logout and screenlock on linux workstations.
>>>
>>> When a user logs in I want to use my password+otp (this is working)!
>>>
>>> When a user locks it screen I want to be able unlock it with only the
>>> password.
>>>
>>> When a user logs out and back in then it needs to use the password+otp
>>> again.
>>>
>>> I am aware of the security implications for this.
>>>
>>> How can I configure this policy?
>> I don't think there is a way to deploy such policy through SSSD at all.
>>
>> Jakub, do you have an idea how to make that possible?
>
> Currently I can't think of anything clean either. Is the lock screen
> and the
> login manager the same PAM service? If they are different, maybe some
> hack like letting pam_unix to always read the password and then just
> pass it on to pam_sss would work..
>
> But I know Sumit is working on improving the 2FA prompting lately, so
> maybe this will be improved in the upcoming release.
I seem to have mate-screensaver, lightdm and xrdp-sesman.
Will that be enough to hook a custom pam rule together for
mate-screensaver?
If not is it possible to disable OTP for all the destkop systems in
sssd.conf? and have it still working for all other systems with
--user-auth-type=otp as only enabled option in freeipa?
Also for laptop systems in offline
disable_preauth
forward_pass
I need 2FA with SAML2 for web applications and 2FA for new logins on the
linux workstations, my customer does not want to use 2FA for screenlocks....
How long and what will it take to have sssd have this possibility supported?
I need to have a different policy for screensaver or different
technology stack... or different customer...
Would it be possible to have 2FA from IPA turned off for specific ipa
clients (desktop workstations) while the ipa user does have OTP
configured to be used by Ipsilon to provide 2FA for web application.
Otherwise would an keycloak or privacyidea soluton be possible for the
2FA part with freeipa backend and ipa-client workstations but with
freeipa otp turned off and have this part taken over by keycloak or
privacyidea, simpleSAMLphp?
It is not clear from the keycloak documentation that if I use federated
sssd the 2FA is taken from freeipa or handled by keycloak itself?
https://www.keycloak.org/docs/3.0/server_admin/topics/user-federation/sss...
Thank you in advance!
Kind regards,
Jelle de Jong