Hi Jeremy, > Am 22.04.2016 um 22:40 schrieb Jeremy Utley <[email protected]>: > > Hello all! > > I'm quite close to reaching the ideal point with our new FreeIPA setup, but > one thing that is standing in the way is 2FA. I know FreeIPA has support for > Google Auth, FreeOTP, and Yubikey. We'd like to go with Yubikeys over the > phone-based systems, but a lot of the docs regarding Yubikey seem to either > be out-dated, or not real clear (at least to me). So I'd like to ask a few > questions to make sure I'm understanding correctly. > > 1) It looks like the normal setup of a Yubikey is to plug it into a machine > and run the "ipa otptoken-add-yubikey" command. This implies that the > machine that sets up the Yubikey needs to be part of the FreeIPA domain, > which presents somewhat of a problem for us, as our current IPA setup has no > desktops, and is in a remote "lights-out" datacenter an hour's drive from our > office. I did see a post recently in the archives of someone figuring out > how to set up a Yubikey via the web interface > (https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.html) - > would this be viable?
Sure, but you shouldn’t use online base32 converters for that. You can use the yubikey personalization tools and the webinterface/API to enroll yubikeys manually. > > 2) Does the otptoken-add-yubikey command actually change the programming of > the Yubikey, or does it simply read it's configuration? We have some users > who are already using a Yubikey for personal stuff, and we'd like to allow > those users to continue to use their existing Yubikey to auth to our IPA > domain, but if the add command changes the programming of the key, that may > not be possible without using the second slot, and if users are already using > the second slot, they are out of luck. HOTP/TOTP depend on a shared secret between the token and FreeIPA. This needs to be stored in one of the two slots of the yubikey. > 3) Does Yubikey auth require talking to the outside world to function? Our > IPA setup is within a secure zone, with no direct connectivity to the outside > world, so if this is necessary, it would be a possible deal-breaker for these. No, this would only be needed if you would use the factory programmed yubico key in slot 1, which is not supported by FreeIPA anyway. David
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
