[Freeipa-devel] FreeIPA OTP End-to-End
Alexander Bokovoy
abokovoy at redhat.com
Tue Dec 24 11:55:48 UTC 2013
Alexander Bokovoy wrote:
> What does not yet work is end-to-end kinit without armoured ccache.
> This also is the case for PAM-based logins through SSSD.
This one is fixed now. There was a bug in SSSD's processing of a response
from a krb5_child process in case FAST is activated -- SSS_OTP message was the last
one returned and SSSD erroneously thought it is a malformed packet.
I now have 2FA logons working with PAM-based apps (including SSH) using following
configuration in sssd.conf:
----------------------------------
[domain/`domain`]
....
krb5_use_fast = try
krb5_fast_principal = host/`hostname`
....
----------------------------------
Patch for https://fedorahosted.org/sssd/ticket/2186 is on the SSSD development list.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list