Our Kerberos implementation supports three forms of two-factor authentication: TOTP, HOTP, and Yubikey. In addition, Google authenticator can be used, as in the past.
TOTP and HOTP both work with an application on your phone or other device. The application displays a 6-digit number, which you need to add at the end of your password to login.
TOTP and HOTP use slightly different algorithms. TOTP is based on the time. The same code works for about 30 sec. HOTP is based on count. That is, the next number applies no matter when you use it. That means you can generate numbers from HOTP and keep them in your wallet. With TOTP you need your phone with you to login.
There are things to think about before using two-factor authentication. See the section at the end.
For more detailed documentation, see the Redhat one-time password documentation.
Enabling Two-factor Authentication
Two-factor authentication uses "tokens." For TOTP and HOTP, a token is simply an item that shows in your mobile app. The same mobile app can have tokens for many different systems. You can also have more than one token for a system, e.g. one for TOTP and one for HOTP.
To enable two-factor authentication, log into one of our systems. To add a TOTP token, type
ipa otptoken-addThis command will display a QR code. In the phone app, hit the QR icon and use the camera to scan the QR code displayed. This uses TOTP. To add a HOTP token, use
ipa otptoken-add --type=hotp
Yubikey is a physical device that you carry with you and plug into a USB port. If you have a Yubikey, you can use it with our system. Insert your key, and then type the command
If you use Yubikey, we recommend also using the other type of OTP, since Yubikey won't let you ssh from a non-CS system such as your home computer.
Mobile Device Clients
Clients for TOTP and HOTP are available for many devices. For IOS and Android, look for "FreeOTP" in the appropriate app store. The ipa otptoken-add command will display a QR code, which you scan with the phone application to configure it.
Because the TOTP and HOTP standards are also used by Google authenticator, you can also use a Google authenticator implementation on your device. For devices other than IOS and Android, we recommend looking for a Google authenticator implementation.
USING THE CLIENT
FreeOTP on your mobile device will display a 6-digit code. To login, type your normal password, adding the 6 digits to the end.
If you're worried about forgetting or losing your phone, one approach is to add both HOTP and TOTP. Generate several keys using HOTP and keep them in your wallet. Then use TOTP for normal use. If you lose your phone, you can login with the keys from your wallet until you can replace it or remove two-factor authentication. (Use "ipa otptoken-find" to list your tokens, and "ipa otptoken-del UNIQUEID" to remove one.)
Two-factor authentication is inconsistent with Kerberos key tables and with cron jobs. By definition, two-factor authentication requires you to use a second factor to authenticate. There's no way cron can get the second factor. The same problem exists if you want to be able to start daemons with your userid automatically when the system restarts.
We have several solutions for people who use two-factor authentication and also need to use cron:
- Use Google authenticator. While Google authenticator uses the same technology as the two-factor code in Kerberos, it's checked a different way. Login checks Google authenticator but cron does not. It's not quite as secure, because if someone is able to become root, and knows your password, they can access your files without the second factor. However for many users it may be good enough. It works with cron jobs, though you'll still need to use "kgetcred -r" to register any system where you run cron jobs.
- Use a second user id. E.g. user smith might have a second userid, smith-cron for cron jobs. That id wouldn't use two-factor authentication. Because it's a separate user, it wouldn't have any special access to smith's files, and thus compromises of smith-cron would have no effect on smith's files. If there are specific files that need to be shared, that can done easily with group access. To request a second userid, please send email to firstname.lastname@example.org. (Alternatively, you could use two-factor authentication for the second userid and not your primary userid.)
- Store all files needed by the cron job on local file systems. For many systems that's /freespace. Note however that freespace is not backed up, and is likely to get wiped between semesters. For that reason we recommend keeping a copy of the files in your home directory.