Features/FreeIPA Two Factor Authentication

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Current status)
Line 39: Line 39:
| [http://github.com/npmccallum/freeipa/commits/otp github.com]
| [http://github.com/npmccallum/freeipa/commits/otp github.com]
| [http://www.redhat.com/archives/freeipa-devel/2013-March/msg00125.html YES]
| [http://www.redhat.com/archives/freeipa-devel/2013-March/msg00125.html YES]
| In Process
| [http://koji.fedoraproject.org/koji/buildinfo?buildID=419083 YES]
| [http://koji.fedoraproject.org/koji/buildinfo?buildID=419083 YES]

Latest revision as of 12:48, 28 May 2013


[edit] FreeIPA Two Factor Authentication

[edit] Summary

Provide Kerberos enabled, LDAP replicated, two-factor authentication for FreeIPA.

[edit] Owner

[edit] Current status

  • Targeted release: Fedora 19
  • Last updated: 2013-05-14
  • Percentage of completion: 100%
  • Patches are currently in review in corresponding projects: sssd, FreeIPA, MIT Kerberos
  • The core functionality (krb5, FreeIPA) is testable in F19 now.
  • Remaining functionality will be delivered in SSSD 1.10 and FreeIPA 3.2.1.
  • We will organize a test day in June.
Code Submitted Merged Upstream In F19
sssd github.com YES YES YES
krb5 github.com YES In Process YES
freeipa-devel github.com YES YES YES

[edit] Detailed Description

Until recently, no two-factor authentication was possible with Kerberos. However, the standardization of RFC 6560 combined with recent work in the MIT krb5 code makes it possible to now offer support for two-factor authentication in Kerberos.

Fedora 18 already supports most of the client side of this proposal. FreeIPA will be landing support for the server side in Fedora 19.

[edit] Benefit to Fedora

Users of FreeIPA will be able to deploy two-factor authentication across the replicated user directory.

[edit] Scope

  • sssd will need to merge a patch for client side integration with OTP (already written).
  • krb5 will need to backport a self-contained plugin for the server-side support (upstream work in process).
  • FreeIPA will gain a dependency on libverto (already packaged and already a dependency of krb5).

[edit] How To Test

Each component will have unit tests.

To test the feature as a whole, you will need a TOTP (RFC 6238) client, such as Google Authenticator. You will then add a token to a user and confirm that authentication succeeds.

[edit] User Experience

No change will be made by default. When an admin configures a user for two-factor authentication, the authenticating user will need to use a TOTP client.

[edit] Dependencies

MIT needs to merge the OTPOverRADIUS proposal upstream. However, since we are backporting this feature anyway, this risk is minimal.

[edit] Contingency Plan

None necessary, FreeIPA will work exactly like it currently does.

[edit] Documentation

[edit] Release Notes

Two Factor Authentication is now available for FreeIPA. For instructions, please see your FreeIPA administrator.

[edit] Comments and Discussion