<div dir="ltr"><div>Hello</div><div><br></div><div>If I do <span style="font-size:12.8px"> </span><span style="font-size:12.8px">ipa user-mod test --user-auth-type=password --user-auth-type=otp I have user:</span></div><div><span style="font-size:12.8px"><br></span></div><div>[root@ipa-centos]# ipa user-show test</div><div> User login: test</div><div> First name: test</div><div> Last name: test</div><div> Home directory: /home/test</div><div> Login shell: /bin/sh</div><div> Principal name: <a href="mailto:test@MYDOMAIN.COM">test@MYDOMAIN.COM</a></div><div> Principal alias: <a href="mailto:test@MYDOMAIN.COM">test@MYDOMAIN.COM</a></div><div> Email address: <a href="mailto:test@mydomain.com">test@mydomain.com</a></div><div> UID: 152200001</div><div> GID: 152200001</div><div> User authentication types: otp, password</div><div> Account disabled: False</div><div> Password: True</div><div> Member of groups: trust admins, ipausers, admins</div><div> Kerberos keys available: True</div><div><br></div><div>I can login into <a href="http://ipa-client.mydomain.com">ipa-client.mydomain.com</a> to ssh using password+otp token, but for login to IPA Web UI I also need password+otp. I need just password for IPA Web UI and password+otp token for ssh on <a href="http://ipa-client.mydomain.com">ipa-client.mydomain.com</a>.</div><div><br></div><div><br></div><div><div>[root@ipa-centos]# ipa service-show HTTP/<a href="mailto:ipa-centos.mydomain.com@MYDOMAIN.COM">ipa-centos.mydomain.com@MYDOMAIN.COM</a> --raw</div><div> krbcanonicalname: HTTP/<a href="mailto:ipa-centos.mydomain.com@MYDOMAIN.COM">ipa-centos.mydomain.com@MYDOMAIN.COM</a></div><div> krbprincipalname: HTTP/<a href="mailto:ipa-centos.mydomain.com@MYDOMAIN.COM">ipa-centos.mydomain.com@MYDOMAIN.COM</a></div><div> usercertificate: %cert%</div><div> subject: CN=<a href="http://ipa-centos.mydomain.com">ipa-centos.mydomain.com</a>,O=<a href="http://MYDOMAIN.COM">MYDOMAIN.COM</a></div><div> serial_number: 9</div><div> serial_number_hex: 0x9</div><div> issuer: CN=Certificate Authority,O=<a href="http://MYDOMAIN.COM">MYDOMAIN.COM</a></div><div> valid_not_before: Tue May 16 11:32:36 2017 UTC</div><div> valid_not_after: Fri May 17 11:32:36 2019 UTC</div><div> md5_fingerprint: e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1</div><div> sha1_fingerprint: de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04</div><div> krbprincipalauthind: password</div><div> has_keytab: TRUE</div><div> managedby: fqdn=<a href="http://ipa-centos.mydomain.com">ipa-centos.mydomain.com</a>,cn=computers,cn=accounts,dc=dev,dc=olabs,dc=global</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-05-17 12:17 GMT+03:00 Sumit Bose <span dir="ltr"><<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote:<br> > Thanks, but I think I have a problem.<br> ><br> > I have test user:<br> ><br> > [root@ipa-centos]# ipa user-show test<br> > User login: test<br> > First name: test<br> > Last name: test<br> > Home directory: /home/test<br> > Login shell: /bin/sh<br> > Principal name: <a href="mailto:test@MYDOMAIN.COM">test@MYDOMAIN.COM</a><br> > Principal alias: <a href="mailto:test@MYDOMAIN.COM">test@MYDOMAIN.COM</a><br> > Email address: <a href="mailto:test@mydomain.com">test@mydomain.com</a><br> > UID: 152200001<br> > GID: 152200001<br> <br> As mentioned in the other thread there should be a listing of user auth<br> types here. Please try<br> <br> ipa user-mod test --user-auth-type=password --user-auth-type=otp<br> <br> to allow both password and 2-factor/otp authentication.<br> <br> > Account disabled: False<br> > Password: True<br> > Member of groups: trust admins, ipausers, admins<br> > Kerberos keys available: True<br> ><br> ><br> > And test host:<br> ><br> > [root@ipa-centos]# ipa host-show <a href="http://ipa-client.mydomain.com" rel="noreferrer" target="_blank">ipa-client.mydomain.com</a><br> > Host name: <a href="http://ipa-client.mydomain.com" rel="noreferrer" target="_blank">ipa-client.mydomain.com</a><br> > Principal name: host/<a href="mailto:ipa-client.mydomain.com@MYDOMAIN.COM">ipa-client.mydomain.com@<wbr>MYDOMAIN.COM</a><br> > Principal alias: host/<a href="mailto:ipa-client.mydomain.com@MYDOMAIN.COM">ipa-client.mydomain.com@<wbr>MYDOMAIN.COM</a><br> > SSH public key fingerprint: %SOME FINGERPRINTS%<br> > Authentication Indicators: otp<br> > Password: False<br> > Keytab: True<br> > Managed by: <a href="http://ipa-client.mydomain.com" rel="noreferrer" target="_blank">ipa-client.mydomain.com</a><br> ><br> ><br> > When I trying to login to <a href="http://ipa-client.mydomain.com" rel="noreferrer" target="_blank">ipa-client.mydomain.com</a> with password+otptoken I<br> > have error:<br> ><br> > [mynotebook]$ ssh <a href="mailto:test@ipa-client.mydomain.com">test@ipa-client.mydomain.com</a><br> > <a href="mailto:test@ipa-client.mydomain.com">test@ipa-client.mydomain.com</a>'s password:<br> <br> Please check if ChallengeResponseAuthenticatio<wbr>n is enabled in<br> /etc/ssh/sshd_config on <a href="http://ipa-client.mydomain.com" rel="noreferrer" target="_blank">ipa-client.mydomain.com</a>. If not please enable it<br> by setting '<wbr>ChallengeResponseAuthenticatio<wbr>n yes'.<br> > Permission denied, please try again.<br> ><br> ><br> > Same if I trying to use just password.<br> ><br> > On ipa server in krb5kdc.log I see:<br> ><br> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16<br> > 23 25 26}) <a href="http://10.0.1.22" rel="noreferrer" target="_blank">10.0.1.22</a>: NEEDED_PREAUTH: <a href="mailto:test@MYDOMAIN.COM">test@MYDOMAIN.COM</a> for krbtgt/<br> > <a href="mailto:MYDOMAIN.COM@MYDOMAIN.COM">MYDOMAIN.COM@MYDOMAIN.COM</a>, Additional pre-authentication required<br> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12<br> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16<br> > 23 25 26}) <a href="http://10.0.1.22" rel="noreferrer" target="_blank">10.0.1.22</a>: NEEDED_PREAUTH: <a href="mailto:test@MYDOMAIN.COM">test@MYDOMAIN.COM</a> for krbtgt/<br> > <a href="mailto:MYDOMAIN.COM@MYDOMAIN.COM">MYDOMAIN.COM@MYDOMAIN.COM</a>, Additional pre-authentication required<br> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12<br> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16<br> > 23 25 26}) <a href="http://10.0.1.22" rel="noreferrer" target="_blank">10.0.1.22</a>: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18<br> > ses=18}, <a href="mailto:test@MYDOMAIN.COM">test@MYDOMAIN.COM</a> for krbtgt/<a href="mailto:MYDOMAIN.COM@MYDOMAIN.COM">MYDOMAIN.COM@MYDOMAIN.<wbr>COM</a><br> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12<br> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16<br> > 23 25 26}) <a href="http://10.0.1.22" rel="noreferrer" target="_blank">10.0.1.22</a>: HIGHER_AUTHENTICATION_<wbr>REQUIRED: authtime 1494946853,<br> > <a href="mailto:test@MYDOMAIN.COM">test@MYDOMAIN.COM</a> for host/<a href="mailto:ipa-client.mydomain.com@MYDOMAIN.COM">ipa-client.mydomain.com@<wbr>MYDOMAIN.COM</a>, Required<br> > auth indicators not present in ticket: otp<br> <br> The otp authentication indicator is missing in the Kerberos ticket of<br> the user. I assume that the ticket was requested only with the password.<br> Please see above what might be missing.<br> <br> HTH<br> <br> bye,<br> Sumit<br> <br> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12<br> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16<br> > 23 25 26}) <a href="http://10.0.1.22" rel="noreferrer" target="_blank">10.0.1.22</a>: HIGHER_AUTHENTICATION_<wbr>REQUIRED: authtime 1494946853,<br> > <a href="mailto:test@MYDOMAIN.COM">test@MYDOMAIN.COM</a> for host/<a href="mailto:ipa-client.mydomain.com@MYDOMAIN.COM">ipa-client.mydomain.com@<wbr>MYDOMAIN.COM</a>, Required<br> > auth indicators not present in ticket: otp<br> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12<br> ><br> > What's wrong?<br> ><br> > 2017-05-16 17:16 GMT+03:00 Sumit Bose <<a href="mailto:sbose@redhat.com">sbose@redhat.com</a>>:<br> ><br> > > On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:<br> > > > Hello all.<br> > > ><br> > > > tell me please. Is it possible to use password and otp auth at the one<br> > > > moment?<br> > > ><br> > > > For example I have DEV/STAGE servers and want to be able use password<br> > > auth<br> > > > for ssh, but for PROD servers I want to use OTP auth for same user.<br> > ><br> > > Authentication indicators can be used for this. If you add<br> > ><br> > > ipa host-mod --auth-ind=otp prod.server<br> > ><br> > > Only 2-factor authentication should be possible on prod.server. But<br> > > please note that e.g. ssh-key based authentication will still be<br> > > possible as well.<br> > ><br> > > HTH<br> > ><br> > > bye,<br> > > Sumit<br> > ><br> > > > --<br> > > > Manage your subscription for the Freeipa-users mailing list:<br> > > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br> > > > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br> > ><br> > > --<br> > > Manage your subscription for the Freeipa-users mailing list:<br> > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br> > > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br> > ><br> ><br> ><br> <span class="HOEnZb"><font color="#888888">><br> > --<br> > С уважением Дудин Андрей<br> </font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span style="font-size:12.8px">С уважением Дудин Андрей</span><br></div></div> </div>