Show Table of Contents
22.4. Restricting Access to Services and Hosts Based on How Users Authenticate
The authentication mechanisms supported by IdM vary in their authentication strength. For example, authentication using a one-time password (OTP) in combination with a standard password is considered safer than authentication using a standard password only. This section shows how to limit access to services and hosts based on how the user authenticates.
For example, you can configure:
- services critical to security, such as VPN, to require a strong authentication method
- noncritical services, such as local logins, to allow authentication using a weaker, but more convenient authentication method

Figure 22.8. Example of Authenticating Using Different Methods
Authentication Indicators
Access to services and hosts is defined by authentication indicators:
- Indicators included in a service or host entry define what authentication methods the user can use to access that service or host.
- Indicators included in the user's ticket-granting ticket (TGT) show what authentication method was used to obtain the ticket.
If the indicator in the principal does not match the indicator in the TGT, the user is denied access.
22.4.1. Configuring a Host or a Service to Require a Specific Authentication Method
To configure a host or a service using:
Web UI: Configuring a Host or a Service to Require a Specific Authentication Method
- Select→ or → .
- Click the name of the required host or service.
- Under Authentication indicators, select the required authentication method.
- For example, selecting OTP ensures that only users who used a valid OTP code with their password will be allowed to access the host or service.
- If you select both OTP and RADIUS, either OTP or RADIUS will be sufficient to allow access.
- Clickat the top of the page.
Command Line: Configuring a Host or a Service to Require a Specific Authentication Method
- Optional. Use the
ipa host-find
oripa service-find
commands to identify the host or service. - Use the
ipa host-mod
or theipa service-mod
command with the--auth-ind
option to add the required authentication indicator. For a list of the values accepted by--auth-ind
, see the output of theipa host-mod --help
oripa service-mod --help
commands.For example,--auth-ind=otp
ensures that only users who used a valid OTP code with their password will be allowed to access the host or service:$ ipa host-mod server.example.com --auth-ind=otp --------------------------------------------------------- Modified host "server.example.com" --------------------------------------------------------- Host name: server.example.com ... Authentication Indicators: otp ...
If you add indicators for both OTP and RADIUS, either OTP or RADIUS will be sufficient to allow access.
22.4.2. Changing the Kerberos Authentication Indicator
By default, Identity Management (IdM) uses the
pkinit
indicator for certificate mapping for Kerberos authentication using the PKINIT
pre-authentication plug-in. If you need to change the authentication provider the Kerberos Distribution Center (KDC) inserts in to a ticket-granting ticket (TGT), modify the configuration on all IdM masters that provide PKINIT
functionality as follows:
- In the
/var/kerberos/krb5kdc/kdc.conf
file, add thepkinit_indicator
parameter to the[kdcdefaults]
section:# pkinit_indicator = indicator
You can set the indicator the following values:otp
for two factor authenticationradius
for RADIUS-based authenticationpkinit
for smart card authentication
- Restart the
krb5kdc
service:# systemctl restart krb5kdc