On pe, 08 huhti 2022, John Petrini via FreeIPA-users wrote:
Hello,
I've been trying to work out how to require OTP on a single service or
host. I've set the OTP authentication indicator on a test host but so
far the only way I've gotten OTP to work is by enabling it as an
authentication type for my user, but when I do this, regular password
based login no longer works on other hosts.
Is there something I'm doing wrong or just not understanding about how
this is supposed to work?
Please read
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli...
or
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
and following sections.
The whole idea is that authentication indicator reflects how the
original ticket granting ticket (TGT) was obtained. When you'd limit
access to services via authentication indicator, what you are really
saying is that a service ticket to this serice can only be obtained when
original ticket granting ticket was obtained with the help of a specific
preauthentication method.
You can define both OTP and password as possible methods to obtain
ticket granting ticket. Users would still be able to request Kerberos
TGT with the help of a password only. However, they would not be able to
request service tickets that have authentication indicator requirements
set on them. KDC will simply deny that access.
So indicators' use is two-folded:
- for users it defines which method they can use to obtain TGT
- for services it defines how TGT must be obtained in order to allow
issuance of a service ticket to this service for the user
If you have set an indicator on a service (host), that only does the
latter part. None of your users are asked to use OTP yet, thus they
cannot yet obtain a service ticket to this host as their TGTs lack the
corresponding indicator. Hence, a need for the former.
As a supplemental question, how will this impact LDAP based login?
Unrelated. Indicators only apply to Kerberos.
Will password + OTP work with ldap clients?
No. OTP method is only applied through Kerberos.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland