-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Check out http://www.freeipa.org, if you are looking for an integrated solution that can sync with AD. It supports One Time Passwords in order to obtain a kerberos TGT and has an integrated OTP server.
If you are looking for a standalone 2 factor auth system that isn't RSA, check out http://www.linotp.org. I doubt there is any pre-auth integration with AD, but worth a look. If you were using MIT Kerberos, the OTP support would be there. Cheers, Brian On 9/16/14, 9:06 PM, Ray Van Dolson wrote: > Looking at revisiting our authentication model and curious what > sort of baselines you all use. Am mostly focused on Linux, but > concepts could apply to Windows as well. > > AD is "key" in our environment, so envision Kerberos playing a big > role in this. My preference: > > - Administrators need some sort of two-factor authentication to > obtain a valid Kerberos ticket (when they log in to Windows for > example). - Linux boxen are set up to accept remote logins only via > Kerberos tickets. No password auth allowed (Kerberized PuTTY works > fine for this). - Emergency local accounts would need to be in > place, but perhaps would tie into a two-factor PAM module (e.g. > Google Authenticator). > > Perhaps this isn't "enough" and I should look to have two-factor > even at the SSH level? I do want to be able to potentially > accommodate scripted logins via SSH keys in certain situations. > > How are some of you doing this currently? > > Thanks, Ray _______________________________________________ Tech > mailing list [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list > provided by the League of Professional System Administrators > http://lopsa.org/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQIcBAEBAgAGBQJUGPFKAAoJEH1l1qNQnreDWsAP/RAtbPYcOGeHtIiJem6qcaQl 60abX0mX2rPd3STlmvh2n79j+M+RHtWFQMF971APXK+rMVqKgM6YdwljkpwHqxV1 5nkEnGjnSsVmT63j+QyKTyq00pT5sx+NnLBcS9JWJkUMMRhcPRd7EMy6EMWzhpqy +Xg4K5UpFrnDHaALvE2SskkT8S1lV65BaEDTfpJVJnv1oOXe5FrKR/nVzeHENI4D AYo2qD98wwxVLVgmurcJcA3/8oBSq0sZag9n9MZXjrI46QfQyoXUuxk6dBYRGK31 Y8LaiPASiXDmPDHw86NB65/WQZGHoGOVsP1OMPUVaWyjtD1Os3dlRVfO/+gRg/+s cMaJ0yvlSEt2NqJQQKwU8OQ5OX0SUJ2QIXf4UEJNmaxeHwfdt1+RENiu9VC1Q4Ml KX2x/pF+xc+xZckdFAmpVI/fSjHCBCIJ4+N77Tn2bBRFNaEihBc89co5w86cygCZ bSVvYFfuN0f0QffZtXMB0tvHXFHMA6ORvZ9pVLVVP11sflEyMEejUhQTLQx99TrA vXtxdniyQnrfQfrgEOJCPSkMy3dmfwN9tbQiW2mn217zuESgjNa90NblvsyUuk6q K90KgUBAGe4X98aTBbXDJjA94wLkfdqNvp7cByXjYj8Ol6N/v/1MklglEuuEYMDs xdDQfdXB0OAcdmD5NCfy =Ut9X -----END PGP SIGNATURE----- _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
