<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none;"></style> </head> <body dir="ltr"> <div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <p>Hi Alexander,</p> <p><br> </p> <p>I somehow manage to try it on fedora and it did work fine for me.. </p> <p><br> </p> <p>Now is there any way i can restrict the login to OTP only? and not password + OTP?</p> <p><br> </p> <p>Best Regards,</p> <p>Deepak</p> <br> <br> <div style="color: rgb(0, 0, 0);"> <div> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Alexander Bokovoy <abokovoy@redhat.com><br> <b>Sent:</b> Friday, September 23, 2016 3:25 AM<br> <b>To:</b> Deepak Dimri<br> <b>Cc:</b> freeipa-users@redhat.com<br> <b>Subject:</b> Re: [Freeipa-users] key + 2FA (password+OTP) is not working</font> <div> </div> </div> </div> <font size="2"><span style="font-size:10pt;"> <div class="PlainText">On Fri, 23 Sep 2016, Deepak Dimri wrote:<br> ><br> >Hi All,<br> ><br> ><br> >I am trying hard to get my 2FA working with FreeIPA but every effort of<br> >mine going waste! I have referred earlier forum emails but could not<br> >find any good reply on the issue i am facing.<br> ><br> ><br> >This is what i am trying<br> ><br> ><br> >I have a test user created in my IPA server enabled with Two factor<br> >authentication (password + OTP) and has ssh public key added in its<br> >profile. I want this test user to ssh into my ipa client (ubuntu<br> >14.04) using key + password + OTP. I woudl ceryainly prefer just the<br> >key+ OTP only ( no password) but that seems far sighted as i cannot<br> >even make it work with what it supposed to work password + OTP.<br> Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the<br> platforms where we know it works for sure (for me, at least).<br> <br> This would allow us to reduce problem space to the client side.<br> <br> >My /etc/ssh/sshd_conf file has almost everything default except i<br> >added these two lines at the end of it<br> ><br> >Match Group testusergroup<br> ><br> > AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam<br> ><br> >i also tried with below but no luck<br> ><br> >Match Group testusergroup<br> ><br> > AuthenticationMethods publickey,keyboard-interactive<br> ><br> ><br> >my /etc/pam.d/sshd has these two changes, rest i kept default:<br> ><br> ><br> ># Standard Un*x authentication.<br> ><br> >#@include common-auth<br> ><br> ><br> >auth required pam_sss.so<br> ><br> ><br> >Now when i try to ssh into ipa client i either keep getting promptS for<br> >the password or it gets into a loop asking me to change the password<br> >;complaining falsely that it has expired. I have tried multiple<br> >combinations of configurations by referring earlier email threads but<br> >none i found helpful. I cant make simple 2FA login to work with<br> >freeIPA. Normal password and key works just fine. its the 2FA which<br> >does not work for me.<br> ><br> ><br> >Would really be thankful if some one can help me with this issue.. is<br> >there any good freeIPA 2FA configuration document that i can refer?<br> ><br> >What should the steps for it work seamlessly?<br> ><br> ><br> >Many Thanks,<br> ><br> >Deepak<br> ><br> <br> >-- <br> >Manage your subscription for the Freeipa-users mailing list:<br> ><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" id="LPlnk462263">https://www.redhat.com/mailman/listinfo/freeipa-users</a> <div id="LPBorder_GT_14746201990840.822264977930395" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;"> <table id="LPContainer_14746201990820.43172076296268846" cellspacing="0" style="width: 90%; position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top: 1px dotted rgb(200, 200, 200); border-bottom: 1px dotted rgb(200, 200, 200); background-color: rgb(255, 255, 255);"> <tbody> <tr valign="top" style="border-spacing: 0px;"> <td id="TextCell_14746201990830.23900006298861953" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;"> <div id="LPRemovePreviewContainer_14746201990830.1277186479722301"></div> <div id="LPTitle_14746201990830.6122315841513295" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, "Segoe UI Light", "Segoe WP Light", "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; line-height: 21px;"> <a id="LPUrlAnchor_14746201990840.41069387712155936" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank" style="text-decoration: none;">Freeipa-users Info Page - Red Hat</a></div> <div id="LPMetadata_14746201990840.9956363222373379" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;"> www.redhat.com</div> <div id="LPDescription_14746201990840.2775375020480477" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;"> Freeipa-users -- List dedicated to discussions about use, configuration and deployment of the IPA server. About Freeipa-users</div> </td> </tr> </tbody> </table> </div> <br> <br> >Go to <a href="http://freeipa.org">http://freeipa.org</a> for more info on the project<br> <br> <br> -- <br> / Alexander Bokovoy<br> </div> </span></font></div> </div> </body> </html>