22.3. One-Time Passwords
Important
- The user authenticates with a traditional password.
- The user provides an OTP code generated by a recognized OTP token.
Warning
- The most important security limitation is the potential vulnerability to replay attacks across the system. Replication is asynchronous, and an OTP code can therefore be reused during the replication period. A user might be able to log on to two servers at the same time. However, this vulnerability is usually difficult to exploit due to comprehensive encryption.
- It is not possible to obtain a ticket-granting ticket (TGT) using a client that does not support OTP authentication. This might affect certain use cases, such as authentication using the
mod_auth_kerb
module or the Generic Security Services API (GSSAPI). - It is not possible to use password + OTP in the IdM solution if the FIPS mode is enabled.
22.3.1. How OTP Authentication Works in IdM
22.3.1.1. OTP Tokens Supported in IdM
Software and Hardware Tokens
User-managed and Administrator-managed Tokens
- User-managed tokens
- Users have full control over user-managed tokens in Identity Management: they are allowed to create, edit, or delete their tokens.
- Administrator-managed tokens
- The administrator adds administrator-managed tokens to the users' accounts. Users themselves have read-only access for such tokens: they do not have the permission to manage or modify the tokens and they are not required to configure them in any way.
Supported OTP Algorithms
- The HMAC-Based One-Time Password (HOTP) algorithm is based on a counter. HMAC stands for Hashed Message Authentication Code.
- The Time-Based One-Time Password (TOTP) algorithm is an extension of HOTP to support time-based moving factor.
22.3.1.2. Available OTP Authentication Methods
- Two-factor authentication (password + OTP)
- With this method, the user is always required to enter both a standard password and an OTP code.
- Password
- With this method, the user still has the option to authenticate using a standard password only.
- RADIUS proxy server authentication
- For information on configuring a RADIUS server for OTP validation, see Section 22.3.7, “Migrating from a Proprietary OTP Solution”.
Global and User-specific Authentication Methods
- By default, user-specific authentication method settings take precedence over global settings. If no authentication method is set for a user, the globally-defined methods apply.
- You can disable per-user authentication method settings for any user. This ensures IdM ignores the per-user settings and always applies the global settings for the user.
Combining Multiple Authentication Methods
- If you configure both two-factor and password authentication, the user must provide the password (first factor), but providing the OTP (second factor) is optional when using the command line:
First Factor: Second Factor (optional):
- In the web UI, the user must still provide both factors.
Note
- Kerberos will always use RADIUS, but LDAP will not. LDAP only recognizes the password and two-factor authentication methods.
- If you use an external two-factor authentication provider, use Kerberos from your applications. If you want to let users authenticate with a password only, use LDAP. It is recommended that the applications leverage Apache modules and SSSD, which allows to configure either Kerberos or LDAP.
22.3.1.3. GNOME Keyring Service Support
First factor: static_password Second factor: one-time_password
22.3.1.4. Offline Authentication with OTP
First factor: static_password Second factor: one-time_password
First factor
prompt. However, note that this is not compatible with offline OTP authentication. If the user enters both factors in a single prompt, IdM will always have to contact the central authentication server when authenticating, which requires the system to be online.
Important
- The
cache_credentials
option in the/etc/sssd/sssd.conf
file is set toTrue
, which enables caching the first factor password. - The first-factor static password meets the password length requirement defined in the
cache_credentials_minimal_first_factor_length
option set in/etc/sssd/sssd.conf
. The default minimal length is 8 characters. For more information about the option, see the sssd.conf(5) man page.
krb5_store_password_if_offline
option is set to true
in /etc/sssd/sssd.conf
, SSSD does not attempt to refresh the Kerberos ticket-granting ticket (TGT) when the system goes online again because the OTP might already be invalid at that point. To obtain a TGT in this situation, the user must authenticate again using both factors.
22.3.2. Required Settings for Configuring a RADIUS Proxy on an IdM Server Running in FIPS Mode
- Create the
/etc/systemd/system/radiusd.service.d/ipa-otp.conf
file with the following content:[Service] Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1
- Reload the
systemd
configuration:# systemctl daemon-reload
- Start the
radiusd
service:# systemctl start radiusd
22.3.3. Enabling Two Factor Authentication
- the web UI, see the section called “Web UI: Enabling Two Factor Authentication”.
- the command line, see the section called “Command Line: Enabling Two Factor Authentication”.
Web UI: Enabling Two Factor Authentication
- Select→ .
- In the User Options area, select the required Default user authentication types.
Figure 22.4. User Authentication Methods
- Select→ , and click the name of the user to edit.
- In the Account Settings area, select the required User authentication types.
Figure 22.5. User Authentication Methods
Command Line: Enabling Two Factor Authentication
- Run the
ipa config-mod --user-auth-type
command. For example, to set the global authentication method to two-factor authentication:$ ipa config-mod --user-auth-type=otp
For a list of values accepted by--user-auth-type
, run theipa config-mod --help
command. - To disable per-user overrides, thus ensuring the global settings are not overridden with per-user settings, add the
--user-auth-type=disabled
option as well. For example, to set the global authentication method to two-factor authentication and disable per-user overrides:$ ipa config-mod --user-auth-type=otp --user-auth-type=disabled
If you do not set--user-auth-type=disabled
, authentication methods configured per user take precedence over the global settings.
- Run the
ipa user-mod --user-auth-type
command. For example, to set thatuser
will be required to use two-factor authentication:$ ipa user-mod user --user-auth-type=otp
--user-auth-type
multiple times. For example, to configure both password and two-factor authentication globally for all users:
$ ipa config-mod --user-auth-type=otp --user-auth-type=password
22.3.4. Adding a User-Managed Software Token
- Log in with your standard password.
- Make sure the
FreeOTP Authenticator
application is installed on your mobile device. To downloadFreeOTP Authenticator
, see the FreeOTP source page. - Create the software token in the IdM web UI or from the command line.
- To create the token in the web UI, click Add under the OTP tokens tab. If you are logged-in as the administrator, the OTP Tokens tab is accessible through the Authentication tab.
Figure 22.6. Adding an OTP Token for a User
- To create the token from the command line, run the
ipa otptoken-add
command.$ ipa otptoken-add ------------------ Added OTP token "" ------------------ Unique ID: 7060091b-4e40-47fd-8354-cb32fecd548a Type: TOTP ...
For more information aboutipa otptoken-add
, run the command with the--help
option added.
- A QR code is displayed in the web UI or on the command line. Scan the QR code with
FreeOTP Authenticator
to provision the token to the mobile device.
22.3.5. Adding a User-Managed YubiKey Hardware Token
- Log in with your standard password.
- Insert your YubiKey token.
- Run the
ipa otptoken-add-yubikey
command.- If the YubiKey has an empty slot available, the command will select the empty slot automatically.
- If no empty slot is available, you must select a slot manually using the
--slot
option.For example:$ ipa otptoken-add-yubikey --slot=2
Note that this overwrites the selected slot.
22.3.6. Adding a Token for a User as the Administrator
- Make sure you are logged-in as the administrator.
- Make sure the
FreeOTP Authenticator
application is installed on the mobile device. To downloadFreeOTP Authenticator
, see the FreeOTP source page. - Create the software token in the IdM web UI or from the command line.
- To create the token in the web UI, select Add OTP Token form, select the owner of the token.→ and click at the top of the list of OTP tokens. In the
Figure 22.7. Adding an Administrator-Managed Software Token
- To create the token from the command line, run the
ipa otptoken-add
command with the--owner
option. For example:$ ipa otptoken-add --owner=user ------------------ Added OTP token "" ------------------ Unique ID: 5303baa8-08f9-464e-a74d-3b38de1c041d Type: TOTP ...
- A QR code is displayed in the web UI or on the command line. Scan the QR code with
FreeOTP Authenticator
to provision the token to the mobile device.
- Make sure you are logged-in as the administrator.
- Insert the YubiKey token.
- Run the
ipa otptoken-add-yubikey
command with the--owner
option. For example:$ ipa otptoken-add-yubikey --owner=user
22.3.7. Migrating from a Proprietary OTP Solution
Note
- Make sure that the radius user authentication method is enabled. See Section 22.3.3, “Enabling Two Factor Authentication” for details.
- Run the
ipa radiusproxy-add proxy_name --secret secret
command to add a RADIUS proxy. The command prompts you for inserting the required information.The configuration of the RADIUS proxy requires the use of a common secret between the client and the server to wrap credentials. Specify this secret in the--secret
parameter. - Run the
ipa user-mod radiususer --radius=proxy_name
command to assign a user to the added proxy. - If required, configure the user name to be sent to RADIUS by running the
ipa user-mod radiususer --radius-username=radius_user
command.
Note
22.3.7.1. Changing the Timeout Value of a KDC When Running a RADIUS Server in a Slow Network
- Change the value of the
timeout
parameter in the[otp]
section in the/var/kerberos/krb5kdc/kdc.conf
file. For example, to set the timeout to120
seconds:[otp] DEFAULT = { timeout = 120 ... }
- Restart the
krb5kdc
service:# systemctl restart krb5kdc
22.3.8. Promoting the Current Credentials to Two-Factor Authentication
- Lock your screen. The default keyboard shortcut to lock the screen is Super key+L.
- Unlock your screen. When asked for credentials, use both password and OTP.
22.3.9. Resynchronizing an OTP Token
22.3.10. Replacing a Lost OTP Token
- As an administrator, enable password and OTP authentication for the user:
[admin@server]# ipa user-mod --user-auth-type=password --user-auth-type=otp user_name
- The user can now add a new token. For example, to add a new token that has
New Token
set in the description:[user@server]# ipa otptoken-add --desc="New Token"
For further details, enter the command theipa otptoken-add --help
parameter added. - The user can now delete the old token:
- Optionally, list the tokens associated with the account:
[user@server]# ipa otptoken-find -------------------- 2 OTP tokens matched -------------------- Unique ID: 4ce8ec29-0bf7-4100-ab6d-5d26697f0d8f Type: TOTP Description: New Token Owner: user Unique ID: e1e9e1ef-172c-4fa9-b637-6b017ce79315 Type: TOTP Description: Old Token Owner: user ---------------------------- Number of entries returned 2 ----------------------------
- Delete the old token. For example, to delete the token with the
e1e9e1ef-172c-4fa9-b637-6b017ce79315
ID:[user@server]# # ipa otptoken-del e1e9e1ef-172c-4fa9-b637-6b017ce79315 -------------------------------------------------------- Deleted OTP token "e1e9e1ef-172c-4fa9-b637-6b017ce79315" --------------------------------------------------------
- As an administrator, enable only OTP authentication for the user:
[admin@server]# ipa user-mod --user-auth-type=otp user_name