Npmccallum (talk | contribs) No edit summary |
Npmccallum (talk | contribs) No edit summary |
||
Line 33: | Line 33: | ||
This command, if successful will print a [http://en.wikipedia.org/wiki/QR_code QR Code] to the terminal. Before you do anything else, scan this code using Google Authenticator. This will create a new token in Google Authenticator which you can use to log in. At this point, the user 'otp' can only log in via two factors. | This command, if successful will print a [http://en.wikipedia.org/wiki/QR_code QR Code] to the terminal. Before you do anything else, scan this code using Google Authenticator. This will create a new token in Google Authenticator which you can use to log in. At this point, the user 'otp' can only log in via two factors. | ||
==== | ==== Testing Two-Factor Authentication ==== | ||
Clients which will support OTP, like SSSD, will enable FAST automatically. However, for testing purposes, kinit requires manual configuration. | Clients which will support OTP, like SSSD, will enable FAST automatically. However, for testing purposes, kinit requires manual configuration. | ||
First, we need to log in as the admin user (or really any user) so that we can use this user's ccache to enable FAST. | First, we need to log in as the admin user (or really any non-OTP user) so that we can use this user's ccache to enable FAST. | ||
# kinit admin | |||
Once we are logged in as a non-OTP user, we can do a FAST OTP authentication: | |||
# kinit -T `klist | grep cache | cut -d':' -f2-` otp | |||
You should now be prompted to "Enter OTP Token Value:". First, type the otp user's password. Next, type the OTP code displayed on Google Authenticator. Finally, hit enter. | |||
If all went well, issuing a 'klist' command should show you as having successfully authenticated with multiple factors! | |||
|results= | |results= |
Revision as of 16:05, 31 May 2013
Description
Internal OTP.
Setup
Prerequisites
How to test
Preparation
Log in as the admin:
# kinit admin
Create a user for OTP testing:
# ipa user-add otp --random
Log in as the new user. This will force a password change. This is important since OTP does not yet implement password changing.
# kinit otp
Enabling OTP
Log back in as the admin:
# kinit admin
Once your terminal is maximized, enable OTP for the user:
# ipa-testday-otp otp
This command, if successful will print a QR Code to the terminal. Before you do anything else, scan this code using Google Authenticator. This will create a new token in Google Authenticator which you can use to log in. At this point, the user 'otp' can only log in via two factors.
Testing Two-Factor Authentication
Clients which will support OTP, like SSSD, will enable FAST automatically. However, for testing purposes, kinit requires manual configuration.
First, we need to log in as the admin user (or really any non-OTP user) so that we can use this user's ccache to enable FAST.
# kinit admin
Once we are logged in as a non-OTP user, we can do a FAST OTP authentication:
# kinit -T `klist
Expected Results
All the test steps should end with the specified results.