Many thanks to all for your comments. I think I know how this feature can integrated into our infrastructure. I'll bring this into a testing environment now.
Cheers,
On 17Jan23 21:27+0000, Howard Chu wrote:
Bastian Tweddell wrote:
On 17Jan23 17:33+0000, Howard Chu wrote:
Sounds more like a question for your SSH server, and whether you can configure it to use PAM after a successful pubkey authentication.
Yes, PAM is enabled for sshd.
I do not have the full picture how slap-totp works. For me, there two open questions:
- From openldap pov: How would I make the bind call to slapd, so that only the TOTP is checked?
If you're talking about the totp module in the contrib source directory, all you need to do is a normal LDAP Simple Bind. LDAP modules for PAM would do this already.
Would the following be sufficient to achieve 2FA only:
userPassword: {TOTP512}$BASE64 # assuming the overlay is confgured properlyYes.
Would it be possible to use another attribute than `userPassword`?
Not with the existing code, no.
- PAM integration: This is not a question to this group here, but maybe there are some related ideas. How or which PAM module can be used?
nsspam-ldapd / nslcd, whatever the latest supported version is.
The aim is to avoid copying the TOTP secret of users to the local systems (which are the public accessible hosts).
Many thanks, Cheers, -- Bastian Tweddell Juelich Supercomputing Centre phone: +49 (2461) 61-6586 HPC in Neuroscience, HPS
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/