I think pam/sssd is not authenticating correctly This is what the login sequence looks like when the otp auth indicator is set on the host, and default user auth is password and otp:
ssh user@test2fa01 user@test2fa01's password: user@test2fa01's password: user@test2fa01's password: First Factor: Second Factor (optional): First Factor: Second Factor (optional): Connection to test2fa01 closed by remote host. Connection to test2fa01 closed. Shouldn't it just be using the First Factor: Second Factor: style prompt? -----Original Message----- From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] Sent: Tuesday, 21 November 2017 1:32 PM To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org> Subject: RE: [Freeipa-users] Re: Enabling two-factor by host When assuming the user as a regular user we get a "Correct" response, so pam and sssd are not co-operating: [user2@test2fa01 ~]$ su - user First Factor: Second Factor (optional): Last login: Mon Nov 20 04:23:17 UTC 2017 from laptop.local on pts/0 Last failed login: Mon Nov 20 23:27:17 UTC 2017 from laptop.local on ssh:notty There were 47 failed login attempts since the last successful login. [user@test2fa01 ~]$ -----Original Message----- From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] Sent: Tuesday, 21 November 2017 12:02 PM To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org> Subject: RE: [Freeipa-users] Re: Enabling two-factor by host Hello the list, I think pam/sssd is not authenticating correctly This is what the login sequence looks like when the otp auth indicator is set on the host, and default user auth is password and otp: ssh user@test2fa01 user@test2fa01's password: user@test2fa01's password: user@test2fa01's password: First Factor: Second Factor (optional): First Factor: Second Factor (optional): Connection to test2fa01 closed by remote host. Connection to test2fa01 closed. Shouldn't it just be using the First Factor: Second Factor: style prompt? -----Original Message----- From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] Sent: Monday, 20 November 2017 5:33 PM To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org> Subject: RE: [Freeipa-users] Re: Enabling two-factor by host Hello the List, This doesn't quite work. We have two hosts, we want a user to just use a password on one host, and password + OTP on a second host. I have set the FreeIPA server to use both password and otp+password: ipa config-mod --user-auth-type={password,otp} One host (test2fa02) left with no required auth indicator One host (test2fa01) with otp as a required auth indicator. ipa host-mod --auth-ind=otp test2fa01 I have a user with a token, and no auth-types chosen (i.e. using defaults) and an OTP token set. The user is able to log in to test2fa02 which does not require OTP, but I am unable to log into test2fa01 I set the user to use OTP only two factor authentication works, but is required by both hosts I set the default to use OTP only, two factor authentication works, but is required on both hosts If I unset the auth options on user and server the password works on test2fa02, but auth fails on test2fa01 If I unset auth for user, and set server auth to password and OTP the password works on test2fa02, but auth fails on test2fa01 If I unset auth for server, and set auth for user to password and OTP the password works on test2fa02, but auth fails on test2fa01 We only want 2FA required on specific hosts, the other hosts should authenticate with just password. Any suggestions? Aaron -----Original Message----- From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] Sent: Monday, 20 November 2017 12:59 PM To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org> Subject: RE: [Freeipa-users] Re: Enabling two-factor by host Thanks Sumit, This looks like what we're after, I'll follow up after some testing. Aaron -----Original Message----- From: Sumit Bose via FreeIPA-users [mailto:freeipa-users@lists.fedorahosted.org] Sent: Friday, 17 November 2017 9:06 PM To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose <sb...@redhat.com> Subject: [Freeipa-users] Re: Enabling two-factor by host On Fri, Nov 17, 2017 at 04:09:01AM +0000, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > Is it possible to enable two-factor authentication using Google Authenticator > on FreeIPA on specific hosts or groups of hosts? > > Alternatively, are there any recommendations on modifying the Pam > configuration on these 2FA required machines to grab the OTP token from > FreeIPA when a user logs in? Please check if authentication indicators is waht you are looking for, see e.g. https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indicators/ for details, look especially for 'Enforcing 2FA on a host principal'. HTH bye, Sumit > > Regards, > > Aaron > > Get Outlook for iOS<https://aka.ms/o0ukef> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
