Inform users in the interactive_restricted group that they must authenticate to the CA ControlMinder endpoint to get write permission to files, and to be able to use sesu to switch users. To authenticate themselves, users run the sepromote utility, and enter a one-time password (OTP).
Note: For more information about the sesu and sepromote utilities, see the Utilities chapter of the CA ControlMinder Reference Guide.
How strong authentication works from the user's point of view:
You receive a message that you are in restricted mode. Users in the Interactive_restricted group can read files and execute commands. They cannot modify any files except for a predefined list of non-files that they are authorized to modify. The message reminds you to run the sepromote utility to remove the restriction.
sepromote -u username
The sepromote utility prompts you for a one-time password.
Note: Passcode generation is an offline process. Your OTP client does not need to be connected to CA AuthMinder for generating passcodes.
CA AuthMinder validates the passcode, and sepromote authenticates you. You now work under regular policy rules.
Note: If authenticated users from a system with a current CA ControlMinder version log in to an older system, they do not retain their strong authentication.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|