[Freeipa-users] interesting Kerberos issue
Nathaniel McCallum
npmccallum at redhat.com
Mon May 18 14:47:47 UTC 2015
On Mon, 2015-05-18 at 09:45 -0500, Janelle wrote:
> Ok, let me ask this a different way, because maybe there is a way,
> and I am just not seeing it.
>
> I have 2 datacenters with typical bastions in each. I have enabled
> OTP and that works fine via ssh. But the user has to login to both
> and opening ssh tunnels is problematic at best.
>
> Using all the creativity in this list, maybe someone knows of another
> way to have a user authenticate from a Mac where they would only have
> to do it once to get their ticket?
>
> I guess I can't think of anything, but no harm in asking.
Without support for the OTP pre-authentication mechanism, I don't know
of any way to do this while still retaining the security properties of
Kerberos. Basically, you'll have to hand over your password to a third
party (which has OTP support). This is ill advised.
Nathaniel
More information about the Freeipa-users
mailing list