How to Configure 2 factor Authentication or OTP in FreeIPA
How to Configure 2 factor Authentication or OTP in FreeIPA
What is OTP and 2FA?
OTP stands for One Time Password and 2FA for two factor Authentication. OTP is available since long time. RSA then came up with hardware tokens somewhere in the 1990 which made it much more usable. The IdM solution for OTP authentication is only supported for clients running Red Hat Enterprise Linux 7.1 or later.
One-time password (OTP) is a password valid for
only one authentication session and becomes invalid after use. Unlike a
traditional static password, OTP generated by an authentication token keeps
changing. OTPs are used as part of two-factor authentication:
- The user authenticates
with a traditional password.
- The user provides an OTP
code generated by a recognized OTP token.
Two-factor authentication is considered safer than
authentication using a traditional password alone. Even if a potential intruder
intercepts the OTP during login, the intercepted OTP will already be invalid by
that point because it can only be used for successful authentication once.
User-managed and Administrator-managed Tokens
Users can manage their own tokens, or the
administrator can manage their tokens for them:
User-managed tokens
Users have full control over
user-managed tokens in Identity Management: they are allowed to create,
edit, or delete their tokens.
Administrator-managed tokens
The administrator adds
administrator-managed tokens to the users' accounts. Users themselves have
read-only access for such tokens: they do not have the permission to manage or
modify the tokens and they are not required to configure them in any way.
Supported OTP Algorithms
Identity Management supports the following two
standard OTP mechanisms:
· The
HMAC-Based One-Time Password (HOTP) algorithm is based on a counter. HMAC
stands for Hashed Message Authentication Code.
· The
Time-Based One-Time Password (TOTP) algorithm is an extension of HOTP to
support time-based moving factor.
Installing FreeIPA
Follow this article to Install and setup FreeIPA in
CentOS 7 or CentOS 8.
After adding a host to FreeIPA and adding a user to
FreeIPA we will straight go to procedure
for Enabling OTP for User Logins.
Command Line: Enabling Two Factor Authentication
To set authentication methods globally for all
users:
- Run the ipa config-mod --user-auth-type command. For example, to set the global
authentication method to two-factor authentication:
$ ipa config-mod
--user-auth-type=otp
To set authentication methods individually for a specified user:
- Run the ipa user-mod --user-auth-type command. For example, to set that user will be required to use two-factor authentication:
$ ipa user-mod
user --user-auth-type=otp
1.
1. Login to the FreeIPA Web UI with initial username and password provided by the Administrator.
https://freeipa.example.com/ipa/ui/1. Login to the FreeIPA Web UI with initial username and password provided by the Administrator.
2. Reset your password now providing “Current password” and New password twice.
3. Now Click “OTP tokens” and Click on “ADD” to create a Token for your User.
4. Now give a Description and Click on “ADD and Edit” button to generate a QR code.
1.
1. 5. Now install an App “Free OTP from Redhat” to your mobile Device
and Scan the QR code and Click “OK” to close Pop-up.
Mac : https://apps.apple.com/in/app/freeotp-authenticator/id872559395
Google Authenticator:
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_IN
Google Authenticator:
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_IN
6. Now Login to the Server Using your password and OTP.
About Manas Ranjan Tripathy
No comments