On 5/27/2019 5:41 PM, David Boyes wrote: >> From my perspective, check the the PAM configuration for the SSH server and >> the common-auth* PAM configuration files in /etc/pam.d/. For example, you >> might have a look at pam-oath which handles OTP tokes for 2FA (never tried >> that so far). > Consider also investigating using Kerberos logins, which move a lot of the > issues with centralized policy outside the realm of the endpoints entirely. > Kerberos is widely used natively (even can be used on desktops and z/OS) and > does a fine job of eliminating credentials across the wire entirely. > > It’s a bit of a hassle to set up initially, but once it’s working, it’s > slick. It’d be nice to have the support in VM as well. I’ve been tinkering a > bit with getting current Kerberos 5 support running for VM (based on updating > the old Kerberos 4 server code that used to be part of VM TCPIP to current > levels), and all the Linux distributions already support it.
Technically the acquired ticket is not two-factor, though. Instead it's a bearer token that does not require reauth for the validity of the ticket. Kind regards Philipp Kern ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390