[Freeipa-users] Re: Require OTP on a single service or host

On pe, 08 huhti 2022, John Petrini via FreeIPA-users wrote: Please read https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli... or https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... and following sections. The whole idea is that authentication indicator reflects how the original ticket granting ticket (TGT) was obtained. When you'd limit access to services via authentication indicator, what you are really saying is that a service ticket to this serice can only be obtained when original ticket granting ticket was obtained with the help of a specific preauthentication method. You can define both OTP and password as possible methods to obtain ticket granting ticket. Users would still be able to request Kerberos TGT with the help of a password only. However, they would not be able to request service tickets that have authentication indicator requirements set on them. KDC will simply deny that access. So indicators' use is two-folded: - for users it defines which method they can use to obtain TGT - for services it defines how TGT must be obtained in order to allow issuance of a service ticket to this service for the user If you have set an indicator on a service (host), that only does the latter part. None of your users are asked to use OTP yet, thus they cannot yet obtain a service ticket to this host as their TGTs lack the corresponding indicator. Hence, a need for the former. Unrelated. Indicators only apply to Kerberos. No. OTP method is only applied through Kerberos. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland