noggin icon indicating copy to clipboard operation
noggin copied to clipboard

Published 20 hours ago verified publisher icon fedora-infra

Group requiring 2fa

Open pypingou opened this issue 3 years ago • 3 comments

Would it be possible for some group to enforce that accounts have 2fa?

This would be nice for some groups such as the "sysadmin" group and other sensitive groups.

pypingou avatar Mar 26 '21 14:03 pypingou

I think there was some reason this was not possible, but I am not sure. I agree it would be great!

Failing that, we should have a script that runs (daily?) and tells us who does not have a otp enrolled so we can tell them to, or remove them. Also, moving forward, when sponsoring people to sysadmin groups we should confirm they have a otp before adding them.

nirik avatar Mar 27 '21 17:03 nirik

I think there was some reason this was not possible, but I am not sure. I agree it would be great!

I don't think that is possible in IPA at the moment.

Failing that, we should have a script that runs (daily?) and tells us who does not have a otp enrolled so we can tell them to, or remove them.

This is possible, do you need help writing this script?

Also, moving forward, when sponsoring people to sysadmin groups we should confirm they have a otp before adding them.

I don't think that can be easily automated in Noggin, because a user can't know whether another user has an OTP token.

abompard avatar Apr 13 '21 12:04 abompard

There is a script here that can be manually run ti check the sysadmins without an otp token. Feel free to pulll apart the code as I am no python expert by any means. https://pagure.io/fedora-infra/ansible/pull-request/544

markobrien1 avatar Apr 15 '21 13:04 markobrien1