[Freeipa-users] Re: Requiring OTP thru PAM+LDAP

Tue, 13 Feb 2024 12:58:41 -0800 

My goal is 2FA for OpenVPN clients, I was using pam+sssd to do this - but I 
discovered that people were able to login without any 2FA at all.

Is there a way to validate only the OTP using a command line tool on a remote 
server to FreeIPA? My thinking is I could use pam to perform the password 
check, but I'd still need a way to validate MFA.




On Monday, February 12, 2024 at 10:28:01 AM EST, Alexander Bokovoy 
<aboko...@redhat.com> wrote: 





On Пан, 12 лют 2024, G H via FreeIPA-users wrote:

>I am using SSSD in LDAP-only mode (no kerberos at all), communicating
>with FreeIPA. For certain hosts, I want to require sssd to demand OTP.
>
>Right now, they are allowing password OR password+OTP. But my 'ipa
>show-host' output for the hosts in question have "Authentication
>Indicators: otp". What do I need to do for sssd to only accept
>password+OTP ?


Authentication indicators are Kerberos-only.

The way to enforce OTP use by the LDAP client during bind is by adding a
control OTP_REQUIRED_OID (2.16.840.1.113730.3.8.10.7) during LDAP SASL
bind like how ipa-otpd daemon does:

    LDAPControl control = { OTP_REQUIRED_OID, {}, true };
    LDAPControl *ctrls[] = { &control, NULL };

    ...

    cred.bv_val = data->data;
    cred.bv_len = data->length;
    i = ldap_sasl_bind(verto_get_private(ev), item->user.dn, LDAP_SASL_SIMPLE,
                        &cred, ctrls, NULL, &item->msgid);

I don't think it is possible to do so by SSSD as it is.

I have a proposal https://github.com/freeipa/freeipa/pull/7200 that
enforces OTP over *all* LDAP binds server-side, by effectively assuming
this OID is present always in any client LDAP bind.

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to