[OOD-users] TFA / Duo with OOD?

Franz, Eric efranz at osc.edu
Fri Apr 27 11:22:15 EDT 2018 

Any federated authentication option for Apache that can be extended to support 2FA would work, as Ric's example shows. Of course, for whatever authentication method is used, OnDemand will have to be configured to properly map the authenticated user to the corresponding system user.

OSC uses Keycloak to implement its OpenID Connect Identity Provider. Keycloak has built in support for 2FA via Google Authenticator or FreeOTP, but that support has limitations. We can support individual users enabling 2FA but not enforce a 2FA requirement across all users, or a subset of users. So we don’t make use of this feature yet in production. I intend to explore the possibility of configuring Keycloak with PAM, which may help some sites who already use PAM to enforce 2FA for SSH sessions.

Thanks,
Eric

---
Eric Franz, Senior Web & Interface App Engineer
Ohio Supercomputer Center
An Ohio Technology Consortium (OH-TECH) Member
1224 Kinnear Road
Columbus, OH 43212
email: efranz at osc.edu
From: OOD-users <ood-users-bounces+efranz=osc.edu at lists.osc.edu> on behalf of "Anderson, Richard O - (ric)" <ric at email.arizona.edu>
Reply-To: User support mailing list for Open OnDemand <ood-users at lists.osc.edu>
Date: Monday, April 23, 2018 at 12:57 PM
To: User support mailing list for Open OnDemand <ood-users at lists.osc.edu>
Subject: Re: [OOD-users] TFA / Duo with OOD?

We use DUO with OOD at The University of Arizona via WebAuth.
Ric
--
Ric Anderson            RT/HPC Systems Administrator, Principal
The University of Arizona, 1077 N. Highland, Tucson, AZ 85721
ric at email.arizona.edu  http://it.arizona.edu


--
Sent from a mobile device; please excuse typos and brevity is not meant to be brusque.
---
________________________________
From: OOD-users <ood-users-bounces at lists.osc.edu> on behalf of Shawn Doughty <shawn.doughty at tufts.edu>
Sent: Monday, April 23, 2018 9:48:05 AM
To: User support mailing list for Open OnDemand
Subject: Re: [OOD-users] TFA / Duo with OOD?

I second Susan's question as people are starting to ask about that issue as well. Tufts implements this at the PAM level but we haven't examined how that will work on the OOD gateway but I have a feeling that will have to change soon.

--
Shawn G. Doughty
Tufts University

On Mon, Apr 23, 2018 at 12:41 PM, Susan Litzinger <susan at psc.edu<mailto:susan at psc.edu>> wrote:
Has anyone implemented two-factor authentication for use with their Open OnDemand implementation?  We have a group of users who are under contract to use TFA with certain datasets and are eager to use OOD.  Just thought I'd check before we start putting effort into it here.

TIA - Susan Litzinger
Pittsburgh Supercomputing Center




--
Shawn G. Doughty
Senior Research Technology Specialist, Research Technology
Tufts Technology Services (TTS)
16 Dearborn Road
Somerville, MA 02144
617-627-5462
http://it.tufts.edu/<https://exchange.tufts.edu/owa/redir.aspx?C=I4ijzFrF9U-qoUscfQAAw3PH17xA188ItQ-l2VPx05symHhOFT2FNSr8FiNXjMnyEtzrTlLLj-Q.&URL=http%3a%2f%2fit.tufts.edu%2f>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/ood-users/attachments/20180427/62d1050f/attachment.html>

More information about the OOD-users mailing list