[Freeipa-users] Password and OTP auth
Sumit Bose
sbose at redhat.com
Wed May 17 09:17:34 UTC 2017
On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote:
> Thanks, but I think I have a problem.
>
> I have test user:
>
> [root at ipa-centos]# ipa user-show test
> User login: test
> First name: test
> Last name: test
> Home directory: /home/test
> Login shell: /bin/sh
> Principal name: test at MYDOMAIN.COM
> Principal alias: test at MYDOMAIN.COM
> Email address: test at mydomain.com
> UID: 152200001
> GID: 152200001
As mentioned in the other thread there should be a listing of user auth
types here. Please try
ipa user-mod test --user-auth-type=password --user-auth-type=otp
to allow both password and 2-factor/otp authentication.
> Account disabled: False
> Password: True
> Member of groups: trust admins, ipausers, admins
> Kerberos keys available: True
>
>
> And test host:
>
> [root at ipa-centos]# ipa host-show ipa-client.mydomain.com
> Host name: ipa-client.mydomain.com
> Principal name: host/ipa-client.mydomain.com at MYDOMAIN.COM
> Principal alias: host/ipa-client.mydomain.com at MYDOMAIN.COM
> SSH public key fingerprint: %SOME FINGERPRINTS%
> Authentication Indicators: otp
> Password: False
> Keytab: True
> Managed by: ipa-client.mydomain.com
>
>
> When I trying to login to ipa-client.mydomain.com with password+otptoken I
> have error:
>
> [mynotebook]$ ssh test at ipa-client.mydomain.com
> test at ipa-client.mydomain.com's password:
Please check if ChallengeResponseAuthentication is enabled in
/etc/ssh/sshd_config on ipa-client.mydomain.com. If not please enable it
by setting 'ChallengeResponseAuthentication yes'.
> Permission denied, please try again.
>
>
> Same if I trying to use just password.
>
> On ipa server in krb5kdc.log I see:
>
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/
> MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/
> MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
> ses=18}, test at MYDOMAIN.COM for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
> test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM, Required
> auth indicators not present in ticket: otp
The otp authentication indicator is missing in the Kerberos ticket of
the user. I assume that the ticket was requested only with the password.
Please see above what might be missing.
HTH
bye,
Sumit
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
> test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM, Required
> auth indicators not present in ticket: otp
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
>
> What's wrong?
>
> 2017-05-16 17:16 GMT+03:00 Sumit Bose <sbose at redhat.com>:
>
> > On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> > > Hello all.
> > >
> > > tell me please. Is it possible to use password and otp auth at the one
> > > moment?
> > >
> > > For example I have DEV/STAGE servers and want to be able use password
> > auth
> > > for ssh, but for PROD servers I want to use OTP auth for same user.
> >
> > Authentication indicators can be used for this. If you add
> >
> > ipa host-mod --auth-ind=otp prod.server
> >
> > Only 2-factor authentication should be possible on prod.server. But
> > please note that e.g. ssh-key based authentication will still be
> > possible as well.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
>
>
>
> --
> С уважением Дудин Андрей
More information about the Freeipa-users
mailing list