[Freeipa-users] OTP vs password?
Jakub Hrozek
jhrozek at redhat.com
Mon Oct 26 18:39:40 UTC 2015
On Mon, Oct 26, 2015 at 10:24:06AM -0700, Janelle wrote:
> Hello all...
>
> Seeing something very strange. With OTP enabled for all users - here is the
> configuration:
>
> Some hosts fully "enrolled" with IPA, and some are simply configured with
> authconfig to use LDAP backend for authentication.
>
> RANDOMLY <---- Keyword here -- all systems use SSSD regardless of the
> authentication method. A user will be able to login with password+token, but
> the random part - sometimes JUST the password. Is this possible due to some
> odd caching issues with SSSD perhaps or ??? How might I research this? is
> there anything to look for in configs or logs?
I would assume that when just the password suffices, the client would be
offline (because when offline, we can only compare the first factor).
You can verify this with running klist -- that would show you if the TGT
was acquired when you logged in or by increasing pam_verbosity to tell
you when the login happened offline.
btw for testing, you can send SIGUSR1 and SIGUSR2 to trigger
online/offline transitions (see man sssd(8))
More information about the Freeipa-users
mailing list