Hi all,
We started looking into OTP features provided by IPA in our facility. In our environment, majority of our machines are located in the private network, users access them via external-facing Gateways. We want to enforce MFA on our gateway and allow users to have freedom SSH-ing into any internal nodes using their regular password (or keys). Then add HBAC rules for certain hosts/services who require MFA authentications using OTP (for example, protected web resource access. NX etc) In order to achieve that, it seems to me we need turn on both 'password' and 'otp' for individual users or globally. This will then trigger 'password' for SSH and 'otp' auth for WebApps/NX and so on.
However when I looked at the online document @ https://www.freeipa.org/page/V4/OTP#Implementation , it stated "Mixing the "password" and "otp" user auth types should not be used", I wonder why "mixing" is not recommended, and what is the downside if we implement this way(in order to achieve what we're trying to do), or any other better strategies in this case?
Can some advice? Thank you in advance! Mizuki
On ma, 25 marras 2019, Mizuki Karasawa via FreeIPA-users wrote:
Hi all,
We started looking into OTP features provided by IPA in our facility. In our environment, majority of our machines are located in the private network, users access them via external-facing Gateways. We want to enforce MFA on our gateway and allow users to have freedom SSH-ing into any internal nodes using their regular password (or keys). Then add HBAC rules for certain hosts/services who require MFA authentications using OTP (for example, protected web resource access. NX etc) In order to achieve that, it seems to me we need turn on both 'password' and 'otp' for individual users or globally. This will then trigger 'password' for SSH and 'otp' auth for WebApps/NX and so on.
However when I looked at the online document @ https://www.freeipa.org/page/V4/OTP#Implementation , it stated "Mixing the "password" and "otp" user auth types should not be used", I wonder why "mixing" is not recommended, and what is the downside if we implement this way(in order to achieve what we're trying to do), or any other better strategies in this case?
If you are making sure your gateway nodes have no way to access them without OTP, then enabling both password and otp user auth types should be fine. The comment rather implies that users would be able to avoid using otp if 'password' is allowed but this pretty much depends on the target system configuration -- if the target system host does not accept Kerberos tickets without 'otp' authentication indicator, they will not be able to utilize their tickets without authentication indicators.
HBAC services have no way to force users to use 'otp' authentication indicator at the target system. You need to set it on the Kerberos service level. For example, if they SSH to the target system, then you need to set authentication indicator 'otp' requirement on the host object:
ipa host-mod foo.bar.z --auth-ind=otp
Be careful with setting --auth-ind on HTTP/... principals on IPA masters. This is currently not supported because the end-point is used by both Web UI and ipa CLI but also by the enrolling tools which don't use Kerberos authentication and cannot consume MFA-based tickets.
Thanks for the feedback! It boosted the confidence by setting both 'password' and 'otp' at the same time won't cause any future issues.
Luckily we don't have machine setup require Kerberos tickets and need 'otp' indicator all at once, so it won't be a problem in our environment (if I understood you statement correctly). OTP is really utilized in the higher level server/web applications who need to integrate to IPA or Gateway as mentioned.
And thanks for the tips & very much appreciated! :)
Mizuki
On Tue, Nov 26, 2019 at 1:56 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 25 marras 2019, Mizuki Karasawa via FreeIPA-users wrote:
Hi all,
We started looking into OTP features provided by IPA in our facility. In our environment, majority of our machines are located in the private network, users access them via external-facing Gateways. We want to enforce MFA on our gateway and allow users to have freedom SSH-ing into any internal nodes using their regular password (or keys). Then add HBAC rules for certain hosts/services who require MFA authentications using OTP (for example, protected web resource access. NX etc) In order to achieve that, it seems to me we need turn on both 'password' and 'otp' for individual users or globally. This will then trigger 'password' for SSH and 'otp' auth for WebApps/NX and so on.
However when I looked at the online document @ https://www.freeipa.org/page/V4/OTP#Implementation , it stated "Mixing the "password" and "otp" user auth types should not be used", I wonder why "mixing" is not recommended, and what is the downside if we implement this way(in order to achieve what we're trying to do), or any other better strategies in this case?
If you are making sure your gateway nodes have no way to access them without OTP, then enabling both password and otp user auth types should be fine. The comment rather implies that users would be able to avoid using otp if 'password' is allowed but this pretty much depends on the target system configuration -- if the target system host does not accept Kerberos tickets without 'otp' authentication indicator, they will not be able to utilize their tickets without authentication indicators.
HBAC services have no way to force users to use 'otp' authentication indicator at the target system. You need to set it on the Kerberos service level. For example, if they SSH to the target system, then you need to set authentication indicator 'otp' requirement on the host object:
ipa host-mod foo.bar.z --auth-ind=otp
Be careful with setting --auth-ind on HTTP/... principals on IPA masters. This is currently not supported because the end-point is used by both Web UI and ipa CLI but also by the enrolling tools which don't use Kerberos authentication and cannot consume MFA-based tickets.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org