Hello Christian.

I think about it little bit more and suppose maybe it's not a bug, maybe
it's security feature.

For example:
We have PROD host with OTP auth and user with enabled password and OTP
auth.
Some bad guy stole the user password, go to freeipa web interface, add new
OTP token and go to kill our PROD.


2017-07-26 15:20 GMT+03:00 Christian Heimes <chei...@redhat.com>:

> On 2017-05-17 12:06, Andrey Dudin wrote:
> > Hello
> >
> > If I do  ipa user-mod test --user-auth-type=password
> > --user-auth-type=otp I have user:
> >
> > [root@ipa-centos]# ipa user-show test
> >   User login: test
> >   First name: test
> >   Last name: test
> >   Home directory: /home/test
> >   Login shell: /bin/sh
> >   Principal name: t...@mydomain.com <mailto:t...@mydomain.com>
> >   Principal alias: t...@mydomain.com <mailto:t...@mydomain.com>
> >   Email address: t...@mydomain.com <mailto:t...@mydomain.com>
> >   UID: 152200001
> >   GID: 152200001
> >   User authentication types: otp, password
> >   Account disabled: False
> >   Password: True
> >   Member of groups: trust admins, ipausers, admins
> >   Kerberos keys available: True
> >
> > I can login into ipa-client.mydomain.com
> > <http://ipa-client.mydomain.com> to ssh using password+otp token, but
> > for login to IPA Web UI I also need password+otp. I need just password
> > for IPA Web UI and password+otp token for ssh on ipa-client.mydomain.com
> > <http://ipa-client.mydomain.com>.
> It's currently not possible to use password-only login when both 2FA and
> password-only are enabled for a user. It's a limitation of the web UI. I
> filed a bug report to track the issue, https://pagure.io/freeipa/
> issue/7068
>
> Regards,
> Christian
>
> --
> Christian Heimes
> Senior Software Engineer, Identity Management and Platform Security
>
> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Charles Cachera, Michael Cunningham, Michael
> O'Neill, Eric Shander
>
>


-- 
С уважением Дудин Андрей
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to