On 5/27/19, 10:48 PM, "Linux on 390 Port on behalf of Philipp Kern" <LINUX-390@VM.MARIST.EDU on behalf of p...@philkern.de> wrote: >Technically the acquired ticket is not two-factor, though. Instead it's >a bearer token that does not require reauth for the validity of the ticket.
True per se, however the process of acquiring the ticket can mandate multiple factors. How the factors are acquired is up to the endpoints. If klogin is configured to require 2 credentials (something you have + something you know) to acquire the service ticket for the login service (access to the machine), it meets some definitions of 2 factor by not issuing a valid service ticket until both factors are present. It's also possible to issue single-use tickets without a lot of bother across a wide range of platforms without inventing wheels. A common configuration is acquiring tickets from two realms (one permitting normal renewable tickets, and the other issuing only single-use tickets requiring the presence of a physical token to acquire the ticket) and configuring the login service on the target machine in question to validate both tickets before granting access. PAM makes this pretty easy to do. The infrastructure around Kerberos provides for the methods the OP wanted to accomplish. It's worth an architectural look-see as the carrier for the overall process. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
