[Freeipa-users] Password and OTP auth

[Andrey Dudin]

Thanks, but I think I have a problem.

I have test user:

[root at ipa-centos]# ipa user-show test
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  Principal name: test at MYDOMAIN.COM
  Principal alias: test at MYDOMAIN.COM
  Email address: test at mydomain.com
  UID: 152200001
  GID: 152200001
  Account disabled: False
  Password: True
  Member of groups: trust admins, ipausers, admins
  Kerberos keys available: True


And test host:

[root at ipa-centos]# ipa host-show ipa-client.mydomain.com
  Host name: ipa-client.mydomain.com
  Principal name: host/ipa-client.mydomain.com at MYDOMAIN.COM
  Principal alias: host/ipa-client.mydomain.com at MYDOMAIN.COM
  SSH public key fingerprint: %SOME FINGERPRINTS%
  Authentication Indicators: otp
  Password: False
  Keytab: True
  Managed by: ipa-client.mydomain.com


When I trying to login to ipa-client.mydomain.com with password+otptoken I
have error:

[mynotebook]$ ssh test at ipa-client.mydomain.com
test at ipa-client.mydomain.com's password:
Permission denied, please try again.


Same if I trying to use just password.

On ipa server in krb5kdc.log I see:

May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/
MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/
MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
ses=18}, test at MYDOMAIN.COM for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM, Required
auth indicators not present in ticket: otp
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM, Required
auth indicators not present in ticket: otp
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12

What's wrong?

2017-05-16 17:16 GMT+03:00 Sumit Bose <sbose at redhat.com>:

> On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> > Hello all.
> >
> > tell me please. Is it possible to use password and otp auth at the one
> > moment?
> >
> > For example I have DEV/STAGE servers and want to be able use password
> auth
> > for ssh, but for PROD servers I want to use OTP auth for same user.
>
> Authentication indicators can be used for this. If you add
>
> ipa host-mod --auth-ind=otp prod.server
>
> Only 2-factor authentication should be possible on prod.server. But
> please note that e.g. ssh-key based authentication will still be
> possible as well.
>
> HTH
>
> bye,
> Sumit
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
С уважением Дудин Андрей
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/46e271a8/attachment.htm>