[Freeipa-devel] FreeIPA OTP End-to-End

Alexander Bokovoy abokovoy at redhat.com
Tue Dec 24 11:55:48 UTC 2013


Alexander Bokovoy wrote:
> What does not yet work is end-to-end kinit without armoured ccache.
> This also is the case for PAM-based logins through SSSD.
This one is fixed now. There was a bug in SSSD's processing of a response
from a krb5_child process in case FAST is activated -- SSS_OTP message was the last
one returned and SSSD erroneously thought it is a malformed packet.  

I now have 2FA logons working with PAM-based apps (including SSH) using following
configuration in sssd.conf:
----------------------------------
[domain/`domain`]
....
krb5_use_fast = try
krb5_fast_principal = host/`hostname`
....
----------------------------------

Patch for https://fedorahosted.org/sssd/ticket/2186 is on the SSSD development list.
-- 
/ Alexander Bokovoy




More information about the Freeipa-devel mailing list