Features/FreeIPA Two Factor Authentication
FreeIPA Two Factor Authentication
Provide Kerberos enabled, LDAP replicated, two-factor authentication for FreeIPA.
- Name: Nathaniel McCallum
- Email: firstname.lastname@example.org
- Targeted release: Fedora 19
- Last updated: 2013-03-08
- Percentage of completion: 80%
- Patches are currently in review in corresponding projects: sssd, FreeIPA, MIT Kerberos
- The functionality will be delivered as a part of the SSSD 1.10 and FreeIPA 3.2 releases that will land in Fedora in mid April.
- The feature will be testable by then. We will organize a test day in June.
Until recently, no two-factor authentication was possible with Kerberos. However, the standardization of RFC 6560 combined with recent work in the MIT krb5 code makes it possible to now offer support for two-factor authentication in Kerberos.
Fedora 18 already supports most of the client side of this proposal. FreeIPA will be landing support for the server side in Fedora 19.
Benefit to Fedora
Users of FreeIPA will be able to deploy two-factor authentication across the replicated user directory.
- sssd will need to merge a patch for client side integration with OTP (already written).
- krb5 will need to backport a self-contained plugin for the server-side support (upstream work in process).
- FreeIPA will gain a dependency on libverto (already packaged and already a dependency of krb5).
How To Test
Each component will have unit tests.
No change will be made by default. When an admin configures a user for two-factor authentication, the authenticating user will need to use a TOTP client.
MIT needs to merge the OTPOverRADIUS proposal upstream. However, since we are backporting this feature anyway, this risk is minimal.
None necessary, FreeIPA will work exactly like it currently does.
Two Factor Authentication is now available for FreeIPA. For instructions, please see your FreeIPA administrator.