Hi,
[I'm running Kerberos inside FreeIPA, so plain Kerberos might be different...] Ken Hornstein <k...@cmf.nrl.navy.mil> writes: >>We'd like to be able to leverage 2fa for some services (admins) and some >>services (ssh logins) but not have to pump a 2fa code into, say, our mail >>applications. Is there a way to make the acquisition of a TGT (for GSSAPI >>authentication) vs Password Authentication require 2fa? > > Yes (I'll explain more below). > >>That's complication number one. >> >>Complication number 2 is something like "SecurID is *expensive* for a >>fairly small (<10) admin team." > > Yeah, tell me about it. I've been running Privacyidea (https://www.privacyidea.org/) for some time to manage the tokens. Exposed the Application with RADIUS and told FreeIPA to authenticate against RADIUS. Had some rough edges, but was usable for me and is able to manage many kinds of tokens. Will it work for you? Maybe... Jochen -- This space is intentionally left blank. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
