On 25/08/2023 14.20, Ole Froslie via FreeIPA-users wrote:
Hi all, I do acknowledge that this topic has been discussed in various threads, but I am struggling to get it working and to understand the concepts. My use cases are to use OTP 2FA with for example Google Authenticator as additional security measure for
- access to the freeipa server itself for selected users (typically admins)
- access to selected linux servers enrolled in FreeIPA . All users with any access to these ,should always use OTP on these servers. No requirement for OTP for access to other servers.
- access to applications using LDAP integrations to FreeIPA
The first use case works right out of the box. I have managed to configure individual users for OTP in the User Auth settings, assign tokens and get it working using Google Authenticated.
I am struggling with the second use case for server access. Instead of diving into all the detailed configs and logs and to understand why it is not working I would rather start with how it is supposed to work at the high level, to ensure I have gotten the basics correct first.
Is the use case supported at all? How should I configure the selected users FreeIPA ? How should I configure the selected hosts in FreeIPA ? How should I configure on the selected hosts, i.e with respect to SSSD, PAM etc.
You are looking for a feature called "Kerberos authentication indicators". FreeIPA's Kerberos KDC annotates Kerberos tickets with auth indicators, e.g. user with 2FA login have an "otp" indicator in their TGT.
A host or service can require authentication indicators in two different ways:
1. The KDC can require and enforce authentication indicators when a user requests a ticket for a host or service principal. 2. SSSD can require authentication indicators for a PAM service (e.g. sudo requires 2FA).
These documents explain the feature in more details:
- https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.... - https://www.freeipa.org/page/V4/Authentication_Indicators - https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/htm...