From Fedora Project Wiki

No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 41: Line 41:


Once we are logged in as a non-OTP user, we can do a FAST OTP authentication:
Once we are logged in as a non-OTP user, we can do a FAST OTP authentication:
  # kinit -T `klist | grep cache | cut -d':' -f2-` otp
  # <nowiki>kinit -T `klist | grep cache | cut -d':' -f2-` otp</nowiki>


You should now be prompted to "Enter OTP Token Value:". First, type the otp user's password. Next, type the OTP code displayed on Google Authenticator. Finally, hit enter.
You should now be prompted to "Enter OTP Token Value:". First, type the otp user's password. Next, type the OTP code displayed on Google Authenticator. Finally, hit enter.


If all went well, issuing a 'klist' command should show you as having successfully authenticated with multiple factors!
If all went well, issuing a 'klist' command should show you as having successfully authenticated with multiple factors!
===== Testing for Failure =====
Now that we know everything is working, let's ensure that bad passwords actually cause authentication to fail. Simply issue the following command and enter random token values to confirm failure:
# <nowiki>kinit -T `klist | grep cache | cut -d':' -f2-` otp</nowiki>


|results=
|results=

Latest revision as of 20:50, 5 June 2013

Description

Internal OTP.

Setup

Prerequisites

  1. A FreeIPA instance setup like this.
  2. Google Authenticator on your Android, iOS or Blackberry device.

How to test

Preparation

Log in as the admin:

# kinit admin

Create a user for OTP testing:

# ipa user-add otp --random

Log in as the new user. This will force a password change. This is important since OTP does not yet implement password changing.

# kinit otp
Password
Remember the password you create! It is your first factor.

Enabling OTP

Log back in as the admin:

# kinit admin
Maximize Your Terminal
Just do it. Otherwise your QR Code won't display properly.

Once your terminal is maximized, enable OTP for the user:

# ipa-testday-otp otp

This command, if successful will print a QR Code to the terminal. Before you do anything else, scan this code using Google Authenticator. This will create a new token in Google Authenticator which you can use to log in. At this point, the user 'otp' can only log in via two factors.

Testing Two-Factor Authentication

Clients which will support OTP, like SSSD, will enable FAST automatically. However, for testing purposes, kinit requires manual configuration.

First, we need to log in as the admin user (or really any non-OTP user) so that we can use this user's ccache to enable FAST.

# kinit admin

Once we are logged in as a non-OTP user, we can do a FAST OTP authentication:

# kinit -T `klist | grep cache | cut -d':' -f2-` otp

You should now be prompted to "Enter OTP Token Value:". First, type the otp user's password. Next, type the OTP code displayed on Google Authenticator. Finally, hit enter.

If all went well, issuing a 'klist' command should show you as having successfully authenticated with multiple factors!

Testing for Failure

Now that we know everything is working, let's ensure that bad passwords actually cause authentication to fail. Simply issue the following command and enter random token values to confirm failure:

# kinit -T `klist | grep cache | cut -d':' -f2-` otp

Expected Results

All the test steps should end with the specified results.