[Freeipa-users] key + 2FA (password+OTP) is not working

Alexander Bokovoy abokovoy at redhat.com
Fri Sep 23 09:07:34 UTC 2016 

On Fri, 23 Sep 2016, Deepak Dimri wrote:
>Hi Alexander,
>
>
>I  somehow manage to try it on fedora and it did work fine for me..
>
>
>Now is there any way i can restrict the login to OTP only? and not password + OTP?
No, this is not supported. OTP value only is not secure enough (6 digits
by default, really low entropy).

>
>
>Best Regards,
>
>Deepak
>
>
>________________________________
>From: Alexander Bokovoy <abokovoy at redhat.com>
>Sent: Friday, September 23, 2016 3:25 AM
>To: Deepak Dimri
>Cc: freeipa-users at redhat.com
>Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working
>
>On Fri, 23 Sep 2016, Deepak Dimri wrote:
>>
>>Hi All,
>>
>>
>>I am trying hard to get my 2FA working with FreeIPA but every effort of
>>mine going waste! I have referred earlier forum emails but could not
>>find any good reply on the issue i am facing.
>>
>>
>>This is what i am trying
>>
>>
>>I have a test user created in my IPA server enabled with Two factor
>>authentication (password + OTP) and has ssh public key added in its
>>profile.  I want this test user to ssh into my ipa client (ubuntu
>>14.04) using  key + password + OTP. I woudl ceryainly prefer just the
>>key+  OTP only ( no password) but that seems far sighted as i cannot
>>even make it work with what it supposed to work password + OTP.
>Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the
>platforms where we know it works for sure (for me, at least).
>
>This would allow us to reduce problem space to the client side.
>
>>My /etc/ssh/sshd_conf file has almost everything default  except i
>>added these two lines at the end of it
>>
>>Match Group testusergroup
>>
>>   AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam
>>
>>i also tried with below but no luck
>>
>>Match Group testusergroup
>>
>> AuthenticationMethods publickey,keyboard-interactive
>>
>>
>>my /etc/pam.d/sshd has these two changes, rest i kept default:
>>
>>
>># Standard Un*x authentication.
>>
>>#@include common-auth
>>
>>
>>auth required pam_sss.so
>>
>>
>>Now when i try to ssh into ipa client i either keep getting promptS for
>>the password or it gets into a loop asking me to change the password
>>;complaining falsely that it has expired. I have tried multiple
>>combinations of configurations by referring earlier email threads but
>>none i found helpful. I cant make simple 2FA login to work with
>>freeIPA. Normal password and key works just fine. its the 2FA which
>>does not work for me.
>>
>>
>>Would really be thankful if some one can help me with this issue.. is
>>there any good freeIPA 2FA configuration document that i can refer?
>>
>>What should the steps for it work seamlessly?
>>
>>
>>Many Thanks,
>>
>>Deepak
>>
>
>>--
>>Manage your subscription for the Freeipa-users mailing list:
>>https://www.redhat.com/mailman/listinfo/freeipa-users
>Freeipa-users Info Page - Red Hat<https://www.redhat.com/mailman/listinfo/freeipa-users>
>www.redhat.com
>Freeipa-users -- List dedicated to discussions about use, configuration and deployment of the IPA server. About Freeipa-users
>
>
>
>>Go to http://freeipa.org for more info on the project
>
>
>--
>/ Alexander Bokovoy

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list