On pe, 18 helmi 2022, Michael Schwartzkopff via FreeIPA-users wrote:
Hi,
I am testing OTP usage of FreeIPA. really cool stuff. Thanks for you work.
I have a user with "authentication type: OTP". So every time he wants
to log in he is asked for username and token. Works.
Sometimes it should be sufficient to provide only password, not OTP
(i.e. inside company with company laptop).
OTP should only be asked in special cases like VPN access. Is this possible?
Setting authentication type on IPA users or in the global configuration
forces use of that authentication type by Kerberos KDC for all attempts
to obtain a ticket granting ticket (TGT), initial ticket that user is
granted before they would request a service ticket. This initial
authentication process has no limit from where it could happen or which
application could trigger it. Assigning specific authentication type
also means that only the assgined types are possible to use and nothing
else. If you add both OTP and password, for example, a user will be able
to authenticate with OTP or with password but there is nothing at this
stage that would worse it to use only OTP or only a password.
Once TGT is obtained, it will contain a tag, called 'authentication
indicator', that records how this TGT was obtained. A target application
may look into a service ticket obtained with the help of TGT and decide
whether this pre-authentication method was good enough. So a target
application can deny tickets obtained with the help of a password and
only accept tickets authenticated with OTP or a smart-card (PKINIT
authentication indicator).
As a result, in order to apply a policy 'OTP should only be asked in
special cases like VPN access', you need two things:
- allow use of OTP among allowed authentication types for a user on KDC
side
- force check for 'otp' authentication indicator in the Kerberos
service ticket received by your application
Up until recently there were not many applications that were able to
analyze authentication indicators in Kerberos tickets even though there
is a GSSAPI function that allows to do so. Since Autumn 2020, SSSD adds
a new PAM module, pam_sss_gss, to enforce such check with applications
using PAM and negotiating Kerberos.
But if your application is not aware of this method, the only
enforcement we have is on the KDC side, e.g. when TGT is obtained. And
if you'd force use of a single authentication type there, it will apply
everywhere.
See more at
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland