2FA with krb5

Jochen Kellner jochen at jochen.org
Thu Oct 7 13:35:59 EDT 2021


Hi,

[I'm running Kerberos inside FreeIPA, so plain Kerberos might be
different...]

Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

>>We'd like to be able to leverage 2fa for some services (admins) and some 
>>services (ssh logins) but not have to pump a 2fa code into, say, our mail 
>>applications.  Is there a way to make the acquisition of a TGT (for GSSAPI 
>>authentication) vs Password Authentication require 2fa?
>
> Yes (I'll explain more below).
>
>>That's complication number one.
>>
>>Complication number 2 is something like "SecurID is *expensive* for a 
>>fairly small (<10) admin team."
>
> Yeah, tell me about it.

I've been running Privacyidea (https://www.privacyidea.org/) for some
time to manage the tokens. Exposed the Application with RADIUS and told
FreeIPA to authenticate against RADIUS. Had some rough edges, but was
usable for me and is able to manage many kinds of tokens. 

Will it work for you? Maybe...

Jochen

-- 
This space is intentionally left blank.


More information about the Kerberos mailing list