[Freeipa-users] key + 2FA (password+OTP) is not working
Deepak Dimri
deepak_dimri at hotmail.com
Fri Sep 23 08:44:44 UTC 2016
Hi Alexander,
I somehow manage to try it on fedora and it did work fine for me..
Now is there any way i can restrict the login to OTP only? and not password + OTP?
Best Regards,
Deepak
________________________________
From: Alexander Bokovoy <abokovoy at redhat.com>
Sent: Friday, September 23, 2016 3:25 AM
To: Deepak Dimri
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working
On Fri, 23 Sep 2016, Deepak Dimri wrote:
>
>Hi All,
>
>
>I am trying hard to get my 2FA working with FreeIPA but every effort of
>mine going waste! I have referred earlier forum emails but could not
>find any good reply on the issue i am facing.
>
>
>This is what i am trying
>
>
>I have a test user created in my IPA server enabled with Two factor
>authentication (password + OTP) and has ssh public key added in its
>profile. I want this test user to ssh into my ipa client (ubuntu
>14.04) using key + password + OTP. I woudl ceryainly prefer just the
>key+ OTP only ( no password) but that seems far sighted as i cannot
>even make it work with what it supposed to work password + OTP.
Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the
platforms where we know it works for sure (for me, at least).
This would allow us to reduce problem space to the client side.
>My /etc/ssh/sshd_conf file has almost everything default except i
>added these two lines at the end of it
>
>Match Group testusergroup
>
> AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam
>
>i also tried with below but no luck
>
>Match Group testusergroup
>
> AuthenticationMethods publickey,keyboard-interactive
>
>
>my /etc/pam.d/sshd has these two changes, rest i kept default:
>
>
># Standard Un*x authentication.
>
>#@include common-auth
>
>
>auth required pam_sss.so
>
>
>Now when i try to ssh into ipa client i either keep getting promptS for
>the password or it gets into a loop asking me to change the password
>;complaining falsely that it has expired. I have tried multiple
>combinations of configurations by referring earlier email threads but
>none i found helpful. I cant make simple 2FA login to work with
>freeIPA. Normal password and key works just fine. its the 2FA which
>does not work for me.
>
>
>Would really be thankful if some one can help me with this issue.. is
>there any good freeIPA 2FA configuration document that i can refer?
>
>What should the steps for it work seamlessly?
>
>
>Many Thanks,
>
>Deepak
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users Info Page - Red Hat<https://www.redhat.com/mailman/listinfo/freeipa-users>
www.redhat.com
Freeipa-users -- List dedicated to discussions about use, configuration and deployment of the IPA server. About Freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160923/c8a63e4e/attachment.htm>
More information about the Freeipa-users
mailing list