On Wed, 2015-07-08 at 08:15 +0200, Lukas Slebodnik wrote:
On (07/07/15 15:11), Sumit Bose wrote:
>On Tue, Jul 07, 2015 at 01:54:12PM +0200, Michael Ströder wrote:
>> Jakub Hrozek wrote:
>> > * Support for separate prompts when using two-factor authentication was
added
>> > [..]
>> > * Credential caching and Offline authentication are also available when
>> > using two-factor authentication
>>
>> How is this supposed to work?
>> Is the OTP validated at the system or passed to another system for validation?
>
>We store the hash of the long term part of the OTP to allow offline
>authentication.
>
>> Are there any docs available about it?
>
>Please see
>https://fedorahosted.org/sssd/wiki/DesignDocs/PAMConversationForOTP for
>details.
>
>> Does it also work with challenge-response (OATH/OCRA)?
>
>No, challenge-response is currently not implemented.
>
>> Was this tested in scenarios when using clusterssh or similar?
>
>No, I'm not sure how clusterssh should work with OTP at all.
clusterssh (cssh)[1,2] is very useful utility which allows you to
"type the same things" into many terminals. IIRC it is just wrapper on top of
xterm.
OTP (one time password) should not work by design with clusterssh.
Just one server will use it successfully (the fastest one).
With clustersh, you still have possibility to type into terminals separately.
It might be annoying but yubikeys could simplify it.
Well it won't work only if you insist on password based auth.
But you could do GSSAPI auth or SSH key auth through a bastion host that
verifies 2FA auth only once.
Simo.
--
Simo Sorce * Red Hat, Inc * New York