Is it possible to enforce the second factor for a user only when trying to login to specific hosts/host groups?
List here says yes... https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indic...
I'm gonna give it a try.
Cheers, Ronald
On 29.03.23 22:30, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to enforce the second factor for a user only when trying to login to specific hosts/host groups?
List here says yes... https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indic...
I'm gonna give it a try.
Sorry. Clicked on send to early... As I understand the link above, it would just be a
ipa host-mod --auth-ind=otp secure.linuxhost.at
instead of enabling the option for some user. Right?
(or ipa service-mod --auth-ind=otp http/secure.linuxhost.at for a certain service)
But when I set the auth indicator on a host it does not seem to work. What am I missing?
Cheers, Ronald
On 29/03/2023 21:48, Ronald Wimmer via FreeIPA-users wrote:
On 29.03.23 22:30, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to enforce the second factor for a user only when trying to login to specific hosts/host groups?
List here says yes... https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indic...
I'm gonna give it a try.
Sorry. Clicked on send to early... As I understand the link above, it would just be a
ipa host-mod --auth-ind=otp secure.linuxhost.at
instead of enabling the option for some user. Right?
(or ipa service-mod --auth-ind=otp http/secure.linuxhost.at for a certain service)
But when I set the auth indicator on a host it does not seem to work. What am I missing?
Get a new TGT without providing a second factor. Then request a service ticket for host/secure.linuxhost.at; the KDC should refuse to hand out a ticket since your TGT doesn't have the 'otp' authentication indicator.
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy....
See also pam_sss_gss which can used to grant/deny authentication to a PAM service based on the authentication indicators present on the user's host/$HOSTNAME service ticket:
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy....
Services that authenticate clients via Kerberos authentication are also able to find out which authentication indicators are present on a client's service ticket, but I think this is quite new functionality that isn't implemented outside of pam_sss_gss so far.
On 29.03.23 23:06, Sam Morris via FreeIPA-users wrote:
On 29/03/2023 21:48, Ronald Wimmer via FreeIPA-users wrote:
On 29.03.23 22:30, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to enforce the second factor for a user only when trying to login to specific hosts/host groups?
List here says yes... https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indic...
I'm gonna give it a try.
Sorry. Clicked on send to early... As I understand the link above, it would just be a
ipa host-mod --auth-ind=otp secure.linuxhost.at
instead of enabling the option for some user. Right?
(or ipa service-mod --auth-ind=otp http/secure.linuxhost.at for a certain service)
But when I set the auth indicator on a host it does not seem to work. What am I missing?
Get a new TGT without providing a second factor. Then request a service ticket for host/secure.linuxhost.at; the KDC should refuse to hand out a ticket since your TGT doesn't have the 'otp' authentication indicator.
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy....
See also pam_sss_gss which can used to grant/deny authentication to a PAM service based on the authentication indicators present on the user's host/$HOSTNAME service ticket:
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy....
Services that authenticate clients via Kerberos authentication are also able to find out which authentication indicators are present on a client's service ticket, but I think this is quite new functionality that isn't implemented outside of pam_sss_gss so far.
What does this mean for us trying to enable OTP as an additional factor on certain hosts? Would I have to configure SSH(d) in a different way?
On 30.03.23 11:15, Ronald Wimmer via FreeIPA-users wrote:
On 29.03.23 23:06, Sam Morris via FreeIPA-users wrote:
On 29/03/2023 21:48, Ronald Wimmer via FreeIPA-users wrote:
On 29.03.23 22:30, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to enforce the second factor for a user only when trying to login to specific hosts/host groups?
List here says yes... https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indic...
I'm gonna give it a try.
Sorry. Clicked on send to early... As I understand the link above, it would just be a
ipa host-mod --auth-ind=otp secure.linuxhost.at
instead of enabling the option for some user. Right?
(or ipa service-mod --auth-ind=otp http/secure.linuxhost.at for a certain service)
But when I set the auth indicator on a host it does not seem to work. What am I missing?
Get a new TGT without providing a second factor. Then request a service ticket for host/secure.linuxhost.at; the KDC should refuse to hand out a ticket since your TGT doesn't have the 'otp' authentication indicator.
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy....
See also pam_sss_gss which can used to grant/deny authentication to a PAM service based on the authentication indicators present on the user's host/$HOSTNAME service ticket:
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy....
Services that authenticate clients via Kerberos authentication are also able to find out which authentication indicators are present on a client's service ticket, but I think this is quite new functionality that isn't implemented outside of pam_sss_gss so far.
What does this mean for us trying to enable OTP as an additional factor on certain hosts? Would I have to configure SSH(d) in a different way?
I would like to revisit this topic. As I did not quit understand the answer please let my try to rephrase my initial question:
Is it possible to force a second factor (OTP) for a certain group of host when trying to log in via SSH with the same IPA user?
Cheers, Ronald
freeipa-users@lists.fedorahosted.org