#4875 [RFE] Enforce OTP only on subset of hosts
Closed: fixed 5 years ago Opened 9 years ago by dpal.

We now allow OTP feature per user.[[BR]]
If there is a setup where there are gateway hosts for the infra and it is a self contained environment then 2FA for all the hosts might be a usability issue. The preferred approach in this case is enforce 2FA only at the gateways (jump hosts)

Use case:
- IdM setup
- There are outer hosts - gateways (jump hosts)
- Inner hosts - normal systems
- All systems are joined to IdM
- Users come from IdM and OTP is enabled

Requirement:
- Enforce 2FA when users log into gateways
- Allow simple hopping/authentication with single factor from gateways to inner hosts and between inner hosts.


Specifying per-host requirement for OTP would be a great part of HBAC; this would allow flexibility in the form of "$A group of users must have authenticated with one of $B mechanisms when accessing $C groups of servers via $D group of services".
-mjs

I think for many use cases an even simpler approach could be enough:
If we consider the gateway doing the authentication request as sort of trusted, one could simply say if the request comes from $source_ip we require OTP.

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Auth indicators should satisfy this requirement, marking as fixed.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata