> On May 18, 2015, at 09:47, Nathaniel McCallum <npmccal...@redhat.com> wrote: > >> On Mon, 2015-05-18 at 09:45 -0500, Janelle wrote: >> Ok, let me ask this a different way, because maybe there is a way, >> and I am just not seeing it. >> >> I have 2 datacenters with typical bastions in each. I have enabled >> OTP and that works fine via ssh. But the user has to login to both >> and opening ssh tunnels is problematic at best. >> >> Using all the creativity in this list, maybe someone knows of another >> way to have a user authenticate from a Mac where they would only have >> to do it once to get their ticket? >> >> I guess I can't think of anything, but no harm in asking. > > Without support for the OTP pre-authentication mechanism, I don't know > of any way to do this while still retaining the security properties of > Kerberos. Basically, you'll have to hand over your password to a third > party (which has OTP support). This is ill advised. > > Nathaniel
Excellent point. Thanks for all the tips and advice. And of course for a great product that continues to get better. ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project