On ke, 24 marras 2021, Djerk Geurts via FreeIPA-users wrote:
Hi all,
I'm looking to implement OTP on FreeIPA, but would prefer not to keep
requesting users enter their OTP each login. In fact I get users to
add their public key to their profile when adding them to FreeIPA so
they can SSH to hosts using SSO auth. In the same way when they
connect to a (bastion) jumphost .bashrc checks if they have a valid
Kerberos ticket and issues kinit if they don't have one. What I'm
after is the following:
* User connects to a jumphost and is prompted for their IPA password
and 2FA code on login. Checking for a valid Kerberos ticket in
.bashrc works as even if a user does certificate auth to the
jumphost the kinit will prompt for a password. Which is fine, as it
only happens when there's no valid Kerberos ticket.
* User connects through the jumphost (to other hosts, Kerberos and the
client certificate ensures that this is fully SSO as far as user
experience goes.
* A user should be prompted for a OTP (once) every 24 hours.
I want to add 2FA to this process, but only for obtaining the Kerberos
ticket, not for subsequent logins. So my questions:
* Will adding 2FA break the SSO and prompt a user for a OTP on each
connection they make to a host?
* If it does, is it possible to only prompt for a OTP on the first
connection made by the user. I trust Kerberos auth for SSO, I just
want to add 2FA to obtaining a valid Kerberos ticket.
Maybe I'm over thinking things, but I'd like to have a firm
understanding on how 2FA changes things before deploying it.
You need a combination of several things:
- Kerberos authentication using OTP to obtain a Kerberos ticket
- Renewable Kerberos tickets
- Ability to authenticate with Kerberos to network services
- Ability to authenticate with Kerberos to PAM services on the same
host, potenitally augmented with a feature to allow Kerberos tickets with
'otp' authentication indicator only
All this is possible with recent FreeIPA and SSSD versions: if your
distribution has pam_sss_gss.so module, then you should be good.
As long as user has a valid Kerberos ticket, with pam_sss_gss.so the
ticket can be reused for further accessing PAM services on the same
host.
With a jumphost in use, one needs a bit more. If a login to jumphost is
done with a password+OTP and not kerberos, SSSD on the host would give a
ticket that would be usable for one step further. Forwarding that TGT is
partially a security compromise as you need to trust the service a TGT
is forwarded to. With SSH client this can be explicitly allowed by the
client tool configuration.
You can borrow some ideas from Cockpit page:
https://cockpit-project.org/guide/latest/cert-authentication.html
Read the whole page and think about security as well.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland