Hi all,
I'm looking to implement OTP on FreeIPA, but would prefer not to keep
requesting users enter their OTP each login. In fact I get users to add
their public key to their profile when adding them to FreeIPA so they
can SSH to hosts using SSO auth. In the same way when they connect to a
(bastion) jumphost .bashrc checks if they have a valid Kerberos ticket
and issues kinit if they don't have one. What I'm after is the following:
* User connects to a jumphost and is prompted for their IPA password
and 2FA code on login. Checking for a valid Kerberos ticket in
.bashrc works as even if a user does certificate auth to the
jumphost the kinit will prompt for a password. Which is fine, as it
only happens when there's no valid Kerberos ticket.
* User connects through the jumphost (to other hosts, Kerberos and the
client certificate ensures that this is fully SSO as far as user
experience goes.
* A user should be prompted for a OTP (once) every 24 hours.
I want to add 2FA to this process, but only for obtaining the Kerberos
ticket, not for subsequent logins. So my questions:
* Will adding 2FA break the SSO and prompt a user for a OTP on each
connection they make to a host?
* If it does, is it possible to only prompt for a OTP on the first
connection made by the user. I trust Kerberos auth for SSO, I just
want to add 2FA to obtaining a valid Kerberos ticket.
Maybe I'm over thinking things, but I'd like to have a firm
understanding on how 2FA changes things before deploying it.
Thanks,
Djerk Geurts