Daniel PC via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:

Currently, I have 2FA implemented with password + FreeOTP as authentication methods.

I wonder if possible to implement ssh pub+priv keys instead of a password as the first authentication factor.

Has anyone implemented such thing?

That's possible, but not with FreeIPA. On my Jump-Host I have the following in /etc/ssh/sshd_config:

,---- | Match Group otpusers | AuthenticationMethods gssapi-with-mic publickey,keyboard-interactive:pam `----

So I can login with Kerberos (and maybe with authentication indicators).

The second authentication stream uses pubkey and whatever is definded in PAM. There I have:

,---- | # If the user is in group otpusers, we use the next rule, otherwise we skip | # the call to pam_yubico. | auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup otpusers | auth sufficient pam_yubico.so id=<yubicoid> key=<appkey> urllist=https://yubico.example.org/ttype/yubikey authfile=/etc/yubikeys/authorized_yubikeys `----

I use privacyidea to manage my 2FA tokens (here I use Yubikeys), You could also use freeotp or something else - problem is to connect token and user in the PAM stack,

Jochen