[39009] in Kerberos
Re: 2FA with krb5
daemon@ATHENA.MIT.EDU (Jochen Kellner)
Thu Oct 7 14:27:01 2021
From: Jochen Kellner <jochen@jochen.org>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Date: Thu, 07 Oct 2021 19:35:59 +0200
In-Reply-To: <202110070127.1971R4KA032759@hedwig.cmf.nrl.navy.mil> (Ken
Hornstein's message of "Wed, 06 Oct 2021 21:27:04 -0400")
Message-ID: <835yu8agao.fsf@jochen.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
[I'm running Kerberos inside FreeIPA, so plain Kerberos might be
different...]
Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>>We'd like to be able to leverage 2fa for some services (admins) and some
>>services (ssh logins) but not have to pump a 2fa code into, say, our mail
>>applications. Is there a way to make the acquisition of a TGT (for GSSAPI
>>authentication) vs Password Authentication require 2fa?
>
> Yes (I'll explain more below).
>
>>That's complication number one.
>>
>>Complication number 2 is something like "SecurID is *expensive* for a
>>fairly small (<10) admin team."
>
> Yeah, tell me about it.
I've been running Privacyidea (https://www.privacyidea.org/) for some
time to manage the tokens. Exposed the Application with RADIUS and told
FreeIPA to authenticate against RADIUS. Had some rough edges, but was
usable for me and is able to manage many kinds of tokens.
Will it work for you? Maybe...
Jochen
--
This space is intentionally left blank.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
