From Fedora Project Wiki
 
(12 intermediate revisions by 3 users not shown)
Line 9: Line 9:
== Current status ==
== Current status ==
* Targeted release: [[Releases/19 | Fedora 19 ]]  
* Targeted release: [[Releases/19 | Fedora 19 ]]  
* Last updated: 2013-01-29
* Last updated: 2013-05-14
* Percentage of completion: 60%
* Percentage of completion: 100%
* Patches are currently in review in corresponding projects: sssd, FreeIPA, MIT Kerberos
* The core functionality (krb5, FreeIPA) is testable in F19 now.
* Remaining functionality will be delivered in SSSD 1.10 and FreeIPA 3.2.1.
* We will organize a test day in June.
 
{| class="wikitable"
|-
!
! scope="col"| Code
! scope="col"| Submitted
! scope="col"| Merged Upstream
! scope="col"| In F19
|-
! scope="row"| sssd
| [http://github.com/npmccallum/sssd/commit/b7e70d1da977f6b08a9590cdbfdb85683e52ccbe github.com]
| [http://lists.fedorahosted.org/pipermail/sssd-devel/2013-March/013944.html YES]
| [http://git.fedorahosted.org/cgit/sssd.git/commit/?id=b40583c6d52b72e41bf01106534535e54b4fba4f YES]
| [http://koji.fedoraproject.org/koji/buildinfo?buildID=416093 YES]
|-
! scope="row"| krb5
| [http://github.com/npmccallum/krb5/commits/otp github.com]
| YES
| In Process
| [http://koji.fedoraproject.org/koji/buildinfo?buildID=401767 YES]
|-
! scope="row"| freeipa-devel
| [http://github.com/npmccallum/freeipa/commits/otp github.com]
| [http://www.redhat.com/archives/freeipa-devel/2013-March/msg00125.html YES]
| YES
| [http://koji.fedoraproject.org/koji/buildinfo?buildID=419083 YES]
|}


== Detailed Description ==
== Detailed Description ==
Line 41: Line 72:
== Documentation ==
== Documentation ==
* http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS
* http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS
* http://freeipa.org/page/V3/OTP


== Release Notes ==
== Release Notes ==
None needed.
Two Factor Authentication is now available for FreeIPA. For instructions, please see your FreeIPA administrator.


== Comments and Discussion ==
== Comments and Discussion ==
Line 49: Line 81:




[[Category:FeaturePageIncomplete]]
[[Category:FeatureAcceptedF19]]
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 12:48, 28 May 2013

FreeIPA Two Factor Authentication

Summary

Provide Kerberos enabled, LDAP replicated, two-factor authentication for FreeIPA.

Owner

Current status

  • Targeted release: Fedora 19
  • Last updated: 2013-05-14
  • Percentage of completion: 100%
  • Patches are currently in review in corresponding projects: sssd, FreeIPA, MIT Kerberos
  • The core functionality (krb5, FreeIPA) is testable in F19 now.
  • Remaining functionality will be delivered in SSSD 1.10 and FreeIPA 3.2.1.
  • We will organize a test day in June.
Code Submitted Merged Upstream In F19
sssd github.com YES YES YES
krb5 github.com YES In Process YES
freeipa-devel github.com YES YES YES

Detailed Description

Until recently, no two-factor authentication was possible with Kerberos. However, the standardization of RFC 6560 combined with recent work in the MIT krb5 code makes it possible to now offer support for two-factor authentication in Kerberos.

Fedora 18 already supports most of the client side of this proposal. FreeIPA will be landing support for the server side in Fedora 19.

Benefit to Fedora

Users of FreeIPA will be able to deploy two-factor authentication across the replicated user directory.

Scope

  • sssd will need to merge a patch for client side integration with OTP (already written).
  • krb5 will need to backport a self-contained plugin for the server-side support (upstream work in process).
  • FreeIPA will gain a dependency on libverto (already packaged and already a dependency of krb5).

How To Test

Each component will have unit tests.

To test the feature as a whole, you will need a TOTP (RFC 6238) client, such as Google Authenticator. You will then add a token to a user and confirm that authentication succeeds.

User Experience

No change will be made by default. When an admin configures a user for two-factor authentication, the authenticating user will need to use a TOTP client.

Dependencies

MIT needs to merge the OTPOverRADIUS proposal upstream. However, since we are backporting this feature anyway, this risk is minimal.

Contingency Plan

None necessary, FreeIPA will work exactly like it currently does.

Documentation

Release Notes

Two Factor Authentication is now available for FreeIPA. For instructions, please see your FreeIPA administrator.

Comments and Discussion