noggin
noggin copied to clipboard
Group requiring 2fa
Would it be possible for some group to enforce that accounts have 2fa?
This would be nice for some groups such as the "sysadmin" group and other sensitive groups.
I think there was some reason this was not possible, but I am not sure. I agree it would be great!
Failing that, we should have a script that runs (daily?) and tells us who does not have a otp enrolled so we can tell them to, or remove them. Also, moving forward, when sponsoring people to sysadmin groups we should confirm they have a otp before adding them.
I think there was some reason this was not possible, but I am not sure. I agree it would be great!
I don't think that is possible in IPA at the moment.
Failing that, we should have a script that runs (daily?) and tells us who does not have a otp enrolled so we can tell them to, or remove them.
This is possible, do you need help writing this script?
Also, moving forward, when sponsoring people to sysadmin groups we should confirm they have a otp before adding them.
I don't think that can be easily automated in Noggin, because a user can't know whether another user has an OTP token.
There is a script here that can be manually run ti check the sysadmins without an otp token. Feel free to pulll apart the code as I am no python expert by any means. https://pagure.io/fedora-infra/ansible/pull-request/544