RH362 - ch07s06

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start alternative-twofactor

Note

This exercise requires the use of either an Android or iPhone smartphone. To configure one-time passwords, you need to install an external Red Hat sponsored application, or a QR code scanning application if you do not have one. If you do not wish to install anything on your mobile device, consider this exercise as concluded and perform the cleanup task.

Instructions

[student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Configure two-factor authentication for the idmuser02 user:

[student@idm ~]$ ipa user-mod idmuser02 --user-auth-type=otp
-------------------------
Modified user "idmuser02"
-------------------------
  User login: idmuser02
  First name: idmuser02
  Last name: idm
  Home directory: /home/idmuser02
  Login shell: /bin/sh
  Principal name: idmuser02@LAB.EXAMPLE.COM
  Principal alias: idmuser02@LAB.EXAMPLE.COM
  Email address: idmuser02@example.com
  UID: 12400003
  GID: 12400003
  User authentication types: otp
  Account disabled: False
...output omitted...

On your mobile device, search for and install the FreeOTP Authenticator application.
If you choose not to install FreeOTP on your mobile devices, an alternative method using any QR code scanner is provided.
On the idm machine, create the user-managed software token. Set phone as the description and set idmuser02 as the user:
```
[student@idm ~]$ ipa otptoken-add --desc=phone --owner=idmuser02
```
Scan the displayed QR code with FreeOTP to provision the token to the mobile device.
As an alternative, use a QR code scanner to scan the QR code.
On the workstation machine, open the web browser and navigate to https://idm.lab.example.com. If you are automatically logged in to the IdM web UI, log out of the dashboard.
In the IdM web UI, log in as the idmuser02 user. For the password, enter the user password followed by a FreeOTP passcode.
For the first part, enter RedHat123^. For the second part, use FreeOTP to generate a passcode. The two items combined form the one-time password (OTP).
Click Login. The passcode is only valid for a brief period of time, so if authentication fails, try generating a new passcode.
Note
If you used the QR scanner, use the oathtool --base32 --totp command to generate the required passcode. In the URI displayed on your mobile device, find the secret= value and use that string as the argument for the --totp option. Run the following command on the workstation machine:
```
[student@workstation ~]$ oathtool --base32 \
  --totp CODE
350759
```
Enter the generated passcode at the end of the password, and then click Login.

Log out of the web UI and exit the idm machine:

[student@idm ~]$ exit
logout
Connection to idm closed.

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish alternative-twofactor

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8