Re: [SSSD-users] 2-factor authc (was: Announcing SSSD 1.13.0)

On (07/07/15 15:11), Sumit Bose wrote: >On Tue, Jul 07, 2015 at 01:54:12PM +0200, Michael Ströder wrote: >> Jakub Hrozek wrote: >> > * Support for separate prompts when using two-factor authentication was added >> > [..] >> > * Credential caching and Offline authentication are also available when >> > using two-factor authentication >> >> How is this supposed to work? >> Is the OTP validated at the system or passed to another system for validation? > >We store the hash of the long term part of the OTP to allow offline >authentication. > >> Are there any docs available about it? > >Please see >https://fedorahosted.org/sssd/wiki/DesignDocs/PAMConversationForOTP for >details. > >> Does it also work with challenge-response (OATH/OCRA)? > >No, challenge-response is currently not implemented. > >> Was this tested in scenarios when using clusterssh or similar? > >No, I'm not sure how clusterssh should work with OTP at all. clusterssh (cssh)[1,2] is very useful utility which allows you to "type the same things" into many terminals. IIRC it is just wrapper on top of xterm. OTP (one time password) should not work by design with clusterssh. Just one server will use it successfully (the fastest one). With clustersh, you still have possibility to type into terminals separately. It might be annoying but yubikeys could simplify it.