On Tue, Nov 27, 2018 at 02:09:43PM +0100, Winfried de Heiden wrote:
Hi all,
Mmmm, I was afraid so..... Any (nearby) plans for a "feature enhancement" on this :)
I'm not aware of any plans in this direction.
The original idea was that there might be hosts with have a higher requirement for security e.g. because they contain sensitive data. In this case I think it makes sense to require otp for all services especially services which can give you even higher privileges like sudo.
If you want to make is easy for a user to call specific commands with sudo you might want to add the '!authenticate' option to the related sudo rule to bypass all authentication?
bye, Sumit
Winfried
Op 27-11-18 om 13:47 schreef Sumit Bose:
On Tue, Nov 27, 2018 at 01:34:25PM +0100, Winfried de Heiden wrote: Hi all, I tried this as well, created a user for which otp and password is both allowe to enforce OTP login on certain hosts but sudo without otp: Enforcing 2FA for a host currently means enforcing it for all services which are handled by SSSD via PAM including sudo. bye, Sumit ipa user-show winfried User login: winfried First name: Winfried Last name: de Heiden Home directory: /home/winfried Login shell: /bin/bash Principal name: winfried@IPA.EXAMPLE.LOCAL Principal alias: winfried@IPA.EXAMPLE.LOCAL Email address: winfried@ipa.example.local UID: 100018 GID: 100018 User authentication types: password, otp Account disabled: False Password: True Member of groups: ipausers Member of Sudo rule: reboot Member of HBAC rule: freeipa-clientxx Kerberos keys available: True The host indeed will force otp upon login: [winfried@freeipa-client03 ~]$ ipa host-show $(hostname) Host name: freeipa-client03.ipa.example.local Principal name: host/freeipa-client03.ipa.example.local@IPA.EXAMPLE.LOCAL Principal alias: host/freeipa-client03.ipa.example.local@IPA.EXAMPLE.LOCAL SSH public key fingerprint: SHA256:a03P2T5BqumEXarmQlZxqD9VNIw6l9VTSXkhRp3wKo8 (ssh-rsa), SHA256:PlV7LeKRipRw5Fild77ENuazjUWhEIQbwxACegdj+34 (ecdsa-sha2-nistp256), SHA256:DiPQ/ EXr+w4ZSvCZBkdddGGYcJuITR64uIaMSbr0o0s (ssh-ed25519) Authentication Indicators: otp Password: False Member of Sudo rule: reboot Member of HBAC rule: freeipa-clientxx Keytab: True Managed by: freeipa-client03.ipa.example.local However, leaving the second empty, sudo will fail: sudo -l First Factor: Second Factor (optional): Sorry, try again. First Factor: Second Factor (optional): Sorry, try again. First Factor: Second Factor (optional): sudo: 3 incorrect password attempts Both IPA-server and client are running on CentOS 7.5. Op 23-03-18 om 09:32 schreef Sumit Bose via FreeIPA-users: On Thu, Mar 22, 2018 at 10:28:17AM -0700, Sean Hogan via FreeIPA-users wrote: Hello, We are implementing OTP for a new deployment and we can log in with the otp codes however when trying to sudo it fails. We would like to use the 2fa to log in but single factor is ok for sudo escalation. Is OTP supposed You have to allow on the server that the user can use both 1FA (password) or 2FA, see --user-auth-type option of 'ipa user-add'. To force 2FA at the log in you have to define on the server that the host requires the 'OTP' authentication indicator, see --auth-ind option of 'ipa host-mod' HTH bye, Sumit to be getting involved when issuing sudo commands? bob@ipa-client1$ sudo cat /etc/resolv.conf First Factor: Second Factor: Sorry, try again. First Factor: sudo: 1 incorrect password attempt ipa-server-dns-4.5.0-21.el7_4.2.2.noarch python-libipa_hbac-1.15.2-50.el7_4.6.x86_64 python-ipaddress-1.0.16-2.el7.noarch ipa-common-4.5.0-21.el7_4.2.2.noarch ipa-client-common-4.5.0-21.el7_4.2.2.noarch python2-ipalib-4.5.0-21.el7_4.2.2.noarch ipa-server-common-4.5.0-21.el7_4.2.2.noarch ipa-client-4.5.0-21.el7_4.2.2.x86_64 libipa_hbac-1.15.2-50.el7_4.6.x86_64 python2-ipaclient-4.5.0-21.el7_4.2.2.noarch python2-ipaserver-4.5.0-21.el7_4.2.2.noarch sssd-ipa-1.15.2-50.el7_4.6.x86_64 python-iniparse-0.4-9.el7.noarch ipa-server-4.5.0-21.el7_4.2.2.x86_64 Sean Hogan _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org