Daniel PC via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> Currently, I have 2FA implemented with password + FreeOTP as authentication > methods. > > I wonder if possible to implement ssh pub+priv keys instead of a password as > the first authentication factor. > > Has anyone implemented such thing? That's possible, but not with FreeIPA. On my Jump-Host I have the following in /etc/ssh/sshd_config: ,---- | Match Group otpusers | AuthenticationMethods gssapi-with-mic publickey,keyboard-interactive:pam `---- So I can login with Kerberos (and maybe with authentication indicators). The second authentication stream uses pubkey and whatever is definded in PAM. There I have: ,---- | # If the user is in group otpusers, we use the next rule, otherwise we skip | # the call to pam_yubico. | auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup otpusers | auth sufficient pam_yubico.so id=<yubicoid> key=<appkey> urllist=https://yubico.example.org/ttype/yubikey authfile=/etc/yubikeys/authorized_yubikeys `---- I use privacyidea to manage my 2FA tokens (here I use Yubikeys), You could also use freeotp or something else - problem is to connect token and user in the PAM stack, Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
