3:32 a.m.
What VPN server are you using & how do you currently integrate it with FreeIPA?
If you integrate via PAM, I think the following is possible, but it is untested--it's
just what I've pulled together in my notes, I haven't got around to actually
trying it yet.
You can allow a user to use _either_ normal password authentication, or OTP:
ipa user-mod myuser --user-auth-type=password,otp
Now, pam_sss will prompt for 'first factor' and 'second factor (optional)'
- if the user just hits enter then they can still log in with password alone. If they do
provide a second factor, there will be an 'authentication indicator' included in
their TGT which can be checked later on by the pam_sss_gss_module.
On your VPN server, add the pam_sss_gss module to the vpn service's PAM module stack.
It has to go after pam_sss has prompted the user & obtained a TGT; I guess the
'required' control flag is the right thing to use here. But the exact position
will depend on what else you have in your module stack.
Tell sssd to allow the use of pam_sss_gss by setting pam_gssapi_services = myvpn, and
configure it to require the 'otp' indicator on the user's TGT by setting
pam_gssapi_indicators_map = myvpn:otp. Both those settings are in the [pam] section of
sssd.conf.
(As an aside, I wonder why the former setting is needed--only root should be able to
modify pam stacks; and why the latter setting couldn't have been implemented by a
module argument... it would have been nicer to keep all the PAM config in once place...)
The remaining bit of work is to get the VPN server to understand the prompts from pam_sss
& provide the password to the 'first factor' prompt and the OTP to the
'second factor' prompt.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9