Ken Hornstein <k...@cmf.nrl.navy.mil> writes: >>I've been running Privacyidea (https://www.privacyidea.org/) for some >>time to manage the tokens. Exposed the Application with RADIUS and told >>FreeIPA to authenticate against RADIUS. Had some rough edges, but was >>usable for me and is able to manage many kinds of tokens. > > So what's the _client_ look like? Specifically, are you doing FAST-OTP? > If so, what client software are you using? Does this only work on > systems with host keys, or do you do anonymous PKINIT?
I mostly use sssd and kinit. I'm not sure what sssd uses, but I remember traces from kinit using PKINIT. These two clients worked well for me. Other clients (java applications) had problems with OTP. See https://lists.jboss.org/pipermail/keycloak-user/2018-January/012759.html for the analysis we did there. As you said - with the "right" clients it might work. Otherwise you might be stuck. Jochen -- This space is intentionally left blank. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
