Hi all,
I'm looking to implement OTP on FreeIPA, but would prefer not to
keep requesting users enter their OTP each login. In fact I get
users to add their public key to their profile when adding them to
FreeIPA so they can SSH to hosts using SSO auth. In the same way
when they connect to a (bastion) jumphost .bashrc checks if they
have a valid Kerberos ticket and issues kinit if they don't have
one. What I'm after is the following:
- User connects to a jumphost and is prompted for their IPA
password and 2FA code on login. Checking for a valid Kerberos
ticket in .bashrc works as even if a user does certificate auth
to the jumphost the kinit will prompt for a password. Which is
fine, as it only happens when there's no valid Kerberos ticket.
- User connects through the jumphost (to other hosts, Kerberos
and the client certificate ensures that this is fully SSO as far
as user experience goes.
- A user should be prompted for a OTP (once) every 24 hours.
I want to add 2FA to this process, but only for obtaining the
Kerberos ticket, not for subsequent logins. So my questions:
- Will adding 2FA break the SSO and prompt a user for a OTP on
each connection they make to a host?
- If it does, is it possible to only prompt for a OTP on the
first connection made by the user. I trust Kerberos auth for
SSO, I just want to add 2FA to obtaining a valid Kerberos
ticket.
Maybe I'm over thinking things, but I'd like to have a firm
understanding on how 2FA changes things before deploying it.
Thanks,
Djerk Geurts