[Freeipa-users] FreeIPA + Yubikey conditional login process

Sun Jan 13 21:32:51 UTC 2013

On 01/12/2013 07:17 PM, Dale Macartney wrote:
>
> Evening all
>
> So, basis of my testing environment is as follows
>
> RHEL 6 running IPA 2.2 or 3.0 (Will be looking to test on both versions)
> RHEL 6 and Fedora 18 workstations connected as ipa clients to IPA domain.
>
> I am using this article in place with my testing environment.
> https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/
>
> What I would like to achieve is:
>
> Scenario 1:
> - From IPA client workstation
> remote SSH session authenticates using current TGT from workstation
> session. No password or yubikey prompt. This should be completely SSO.
>
> Scenario 2:
> - From Non-IPA client workstation
> remote SSH session authenticates via password AND yubikey prompt as no
> TGT is available.
>
>
> What I don't know how to achieve is Scenario 2.
>
> Is this possible? I'm processing it in my mind of pam having a
> conditional required option, but I don't know of a way to make it happen.
>

>From my past experience it was possible if the pam modules you want to
stack support the right PAM flags and conditions. I do not remember the
details, it was quite some time ago but I know that something like this
can be accomplished if pam_yubikey (I assume something like this exists)
and pam_sss are stacked in the right way.

> Thanks all
>
> Dale
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130113/35a09009/attachment.htm>