On 25/08/2023 14.20, Ole Froslie via FreeIPA-users wrote:
Hi all,
I do acknowledge that this topic has been discussed in various threads, but I am
struggling to get it working and to understand the concepts.
My use cases are to use OTP 2FA with for example Google Authenticator as additional
security measure for
1. access to the freeipa server itself for selected users (typically admins)
2. access to selected linux servers enrolled in FreeIPA . All users with any access to
these ,should always use OTP on these servers. No requirement for OTP for access to other
servers.
3. access to applications using LDAP integrations to FreeIPA
The first use case works right out of the box. I have managed to configure individual
users for OTP in the User Auth settings, assign tokens and get it working using Google
Authenticated.
I am struggling with the second use case for server access.
Instead of diving into all the detailed configs and logs and to understand why it is not
working I would rather start with how it is supposed to work at the high level, to ensure
I have gotten the basics correct first.
Is the use case supported at all?
How should I configure the selected users FreeIPA ?
How should I configure the selected hosts in FreeIPA ?
How should I configure on the selected hosts, i.e with respect to SSSD, PAM etc.
You are looking for a feature called "Kerberos authentication
indicators". FreeIPA's Kerberos KDC annotates Kerberos tickets with auth
indicators, e.g. user with 2FA login have an "otp" indicator in their TGT.
A host or service can require authentication indicators in two different
ways:
1. The KDC can require and enforce authentication indicators when a user
requests a ticket for a host or service principal.
2. SSSD can require authentication indicators for a PAM service (e.g.
sudo requires 2FA).
These documents explain the feature in more details:
-
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli...
-
https://www.freeipa.org/page/V4/Authentication_Indicators
-
https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/...
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH,
https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill