On pe, 23 helmi 2018, Maciej Drobniuch via FreeIPA-users wrote:
Hey Winfired,
I've been struggling with this too.
Currently I'm doing a hack (NO PASSWORD) in sudoers to at least workaround
the otp at sudo.
It's as always usability+angry users vs security.
Well, consider that authentication is a separate step from
authorization. When you do 'sudo foo' you are authenticating first with
your credentials, then authorization step is run after authentication
succeeded.
Authentication means validating your credentials without knowing what
you will be using them for afterwards. Kerberos KDC is authenticating
an SSSD request after 'sudo foo' triggered that one and it doesn't have
any idea what SSSD will be using the result of authentication for,
neither has it a way to trust what SSSD as an authentication client
could tell to KDC for a policy decision to take.
Authorization happens after this step and here SSSD would know about
HBAC rules to check to allow users to access 'sudo'/'sudo-l' HBAC
service but at this stage it is too late: Kerberos KDC already asked an
authentication client (SSSD) to provide 2FA creds.
If we add a logic on the SSSD side and allow it re-using an existing
Kerberos ticket to cache authentication exchange and go straight to
authorization stage, there could be race conditions. The whole flow
needs to be thought through quite well. There was a PAM module in past
that allowed to use Kerberos ticket to decide whether a certain PAM
service could be accessed based on that and it was retired due to so
many concerns about possible races.
BR
Maciej
On Fri, Feb 23, 2018 at 3:07 PM, Winfried de Heiden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
Hi al,
OTP using IPA 4.5 on CentOS seems to work well. However: I can force a
user to use OTP and/or a host.
Selecting a user, ALL authentication needs OTP. Since sudo in this case
will ask for OTP also, this turn out quite inconvenient. Is is possible to
select only certain services for OTP. for example:
login using SSH --> OTP
login ftp --> OTP
console --> password only
sudo --> password only
Winfried
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
