PIV verification status communicated to remote realms #33
Comments
|
PIV doesn't mean MFA. It only proves that the private key is stored in a secure physical device. Do you need MFA aswell ? |
|
Interesting use case. I think the remote bastion can also pass some more information to the local one, such as:
Then on the local bastion, you might be able to specify some policies that will be enforced, something along the lines of: ... which would deny any remote user not having PIV enforced on his local bastion |
anything that could help enforce access policies
When it come to PIV, I like some flexibility. |
The main goal of realm is to not have the notion of user in the local bastion. Authentication is delegated to the distant bastion. |
|
Could be done too, even if it would be a bit more complex: realm-wide setting: group-wide setting: per-host: not really doable, because nobody has the authority over a given host, from the point of view of the bastion: a host can be in 2 distinct groups for that matter, with 2 distinct owners. Or a group can be 0.0.0.0/0 and have all the possible hosts in it. But then, you might also want to grant an account the right to bypass the realm-wide policy, because this account might be a robot and doesn't have the required hand to click on his PIV key... This is what has been done for password MFA and TOTP MFA: |
|
In any case @Alkorin we'll need |
In a multi-realm deployment infra, remote realm should send PIV informations to the local bastion.
This could be use to enforce local Multi-Factor Authentication policies even for realm users.
The text was updated successfully, but these errors were encountered: