Hello the List,
This doesn't quite work. We have two hosts, we want a user to just use a
password on one host, and password + OTP on a second host.
I have set the FreeIPA server to use both password and otp+password:
ipa config-mod --user-auth-type={password,otp}
One host (test2fa02) left with no required auth indicator
One host (test2fa01) with otp as a required auth indicator.
ipa host-mod --auth-ind=otp test2fa01
I have a user with a token, and no auth-types chosen (i.e. using defaults) and
an OTP token set.
The user is able to log in to test2fa02 which does not require OTP, but I am
unable to log into test2fa01
I set the user to use OTP only two factor authentication works, but is required
by both hosts
I set the default to use OTP only, two factor authentication works, but is
required on both hosts
If I unset the auth options on user and server the password works on test2fa02,
but auth fails on test2fa01
If I unset auth for user, and set server auth to password and OTP the password
works on test2fa02, but auth fails on test2fa01
If I unset auth for server, and set auth for user to password and OTP the
password works on test2fa02, but auth fails on test2fa01
We only want 2FA required on specific hosts, the other hosts should
authenticate with just password.
Any suggestions?
Aaron
-----Original Message-----
From: Aaron Hicks [mailto:[email protected]]
Sent: Monday, 20 November 2017 12:59 PM
To: 'FreeIPA users list' <[email protected]>
Subject: RE: [Freeipa-users] Re: Enabling two-factor by host
Thanks Sumit,
This looks like what we're after, I'll follow up after some testing.
Aaron
-----Original Message-----
From: Sumit Bose via FreeIPA-users
[mailto:[email protected]]
Sent: Friday, 17 November 2017 9:06 PM
To: [email protected]
Cc: Sumit Bose <[email protected]>
Subject: [Freeipa-users] Re: Enabling two-factor by host
On Fri, Nov 17, 2017 at 04:09:01AM +0000, Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
>
> Is it possible to enable two-factor authentication using Google Authenticator
> on FreeIPA on specific hosts or groups of hosts?
>
> Alternatively, are there any recommendations on modifying the Pam
> configuration on these 2FA required machines to grab the OTP token from
> FreeIPA when a user logs in?
Please check if authentication indicators is waht you are looking for, see e.g.
https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indicators/
for details, look especially for 'Enforcing 2FA on a host principal'.
HTH
bye,
Sumit
>
> Regards,
>
> Aaron
>
> Get Outlook for iOS<https://aka.ms/o0ukef>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to
> [email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
