Daniel PC via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
Currently, I have 2FA implemented with password + FreeOTP as
authentication methods.
I wonder if possible to implement ssh pub+priv keys instead of a password as the first
authentication factor.
Has anyone implemented such thing?
That's possible, but not with FreeIPA. On my Jump-Host I have the
following in /etc/ssh/sshd_config:
,----
| Match Group otpusers
| AuthenticationMethods gssapi-with-mic publickey,keyboard-interactive:pam
`----
So I can login with Kerberos (and maybe with authentication indicators).
The second authentication stream uses pubkey and whatever is definded in
PAM. There I have:
,----
| # If the user is in group otpusers, we use the next rule, otherwise we skip
| # the call to pam_yubico.
| auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup otpusers
| auth sufficient pam_yubico.so id=<yubicoid> key=<appkey>
urllist=https://yubico.example.org/ttype/yubikey
authfile=/etc/yubikeys/authorized_yubikeys
`----
I use privacyidea to manage my 2FA tokens (here I use Yubikeys),
You could also use freeotp or something else - problem is to connect
token and user in the PAM stack,
Jochen
--
This space is intentionally left blank.