We now allow OTP feature per user.[[BR]] If there is a setup where there are gateway hosts for the infra and it is a self contained environment then 2FA for all the hosts might be a usability issue. The preferred approach in this case is enforce 2FA only at the gateways (jump hosts)
Use case: - IdM setup - There are outer hosts - gateways (jump hosts) - Inner hosts - normal systems - All systems are joined to IdM - Users come from IdM and OTP is enabled
Requirement: - Enforce 2FA when users log into gateways - Allow simple hopping/authentication with single factor from gateways to inner hosts and between inner hosts.
Specifying per-host requirement for OTP would be a great part of HBAC; this would allow flexibility in the form of "$A group of users must have authenticated with one of $B mechanisms when accessing $C groups of servers via $D group of services". -mjs
I think for many use cases an even simpler approach could be enough: If we consider the gateway doing the authentication request as sort of trusted, one could simply say if the request comes from $source_ip we require OTP.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Auth indicators should satisfy this requirement, marking as fixed.
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.