On Tue, Nov 21, 2017 at 01:47:04PM +1300, Aaron Hicks via FreeIPA-users wrote:
> I found it, it was in /etc/ssh/sshd_config
> 
> This requires in the sshd config:
> 
> ChallengeResponseAuthentication yes
> AuthenticationMethods keyboard-interactive
> 
> We now can enable 2FA on a per-host basis.

glad it is working for you now. Yes, ChallengeResponseAuthentication
must be set to 'yes' because with PasswordAuthtication the ssh client
will unconditionally only ask for a password.

bye,
Sumit

> 
> -----Original Message-----
> From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
> Sent: Tuesday, 21 November 2017 1:32 PM
> To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org>
> Subject: RE: [Freeipa-users] Re: Enabling two-factor by host
> 
> I think pam/sssd is not authenticating correctly
> 
> This is what the login sequence looks like when the otp auth indicator is set 
> on the host, and default user auth is password and otp:
> 
> ssh user@test2fa01
> user@test2fa01's password:
> user@test2fa01's password:
> user@test2fa01's password:
> First Factor:
> Second Factor (optional):
> First Factor:
> Second Factor (optional):
> Connection to test2fa01 closed by remote host.
> Connection to test2fa01 closed.
> 
> Shouldn't it just be using the First Factor: Second Factor: style prompt?
> 
> -----Original Message-----
> From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
> Sent: Tuesday, 21 November 2017 1:32 PM
> To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org>
> Subject: RE: [Freeipa-users] Re: Enabling two-factor by host
> 
> When assuming the user as a regular user we get a "Correct" response, so pam 
> and sssd are not co-operating:
> 
> [user2@test2fa01 ~]$ su - user
> First Factor:
> Second Factor (optional):
> Last login: Mon Nov 20 04:23:17 UTC 2017 from laptop.local on pts/0 Last 
> failed login: Mon Nov 20 23:27:17 UTC 2017 from laptop.local on ssh:notty 
> There were 47 failed login attempts since the last successful login.
> [user@test2fa01 ~]$
> 
> 
> -----Original Message-----
> From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
> Sent: Tuesday, 21 November 2017 12:02 PM
> To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org>
> Subject: RE: [Freeipa-users] Re: Enabling two-factor by host
> 
> Hello the list,
> 
> I think pam/sssd is not authenticating correctly
> 
> This is what the login sequence looks like when the otp auth indicator is set 
> on the host, and default user auth is password and otp:
> 
> ssh user@test2fa01
> user@test2fa01's password:
> user@test2fa01's password:
> user@test2fa01's password:
> First Factor:
> Second Factor (optional):
> First Factor:
> Second Factor (optional):
> Connection to test2fa01 closed by remote host.
> Connection to test2fa01 closed.
> 
> Shouldn't it just be using the First Factor: Second Factor: style prompt?
> 
> -----Original Message-----
> From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
> Sent: Monday, 20 November 2017 5:33 PM
> To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org>
> Subject: RE: [Freeipa-users] Re: Enabling two-factor by host
> 
> Hello the List,
> 
> This doesn't quite work. We have two hosts, we want a user to just use a 
> password on one host, and password + OTP on a second host.
> 
> I have set the FreeIPA server to use both password and otp+password:
> 
> ipa config-mod --user-auth-type={password,otp}
> 
> One host (test2fa02) left with no required auth indicator
> 
> One host (test2fa01) with otp as a required auth indicator.
> 
> ipa host-mod  --auth-ind=otp test2fa01
> 
> I have a user with a token, and no auth-types chosen (i.e. using defaults) 
> and an OTP token set.
> 
> The user is able to log in to test2fa02 which does not require OTP, but I am 
> unable to log into test2fa01
> 
> I set the user to use OTP only two factor authentication works, but is 
> required by both hosts
> 
> I set the default to use OTP only, two factor authentication works, but is 
> required on both hosts
> 
> If I unset the auth options on user and server the password works on 
> test2fa02, but auth fails on test2fa01
> 
> If I unset auth for user, and set server auth to password and OTP the 
> password works on test2fa02, but auth fails on test2fa01
> 
> If I unset auth for server, and set auth for user to password and OTP the 
> password works on test2fa02, but auth fails on test2fa01
> 
> We only want 2FA required on specific hosts, the other hosts should 
> authenticate with just password.
> 
> 
> Any suggestions?
> 
> Aaron
> -----Original Message-----
> From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
> Sent: Monday, 20 November 2017 12:59 PM
> To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org>
> Subject: RE: [Freeipa-users] Re: Enabling two-factor by host
> 
> Thanks Sumit,
> 
> This looks like what we're after, I'll follow up after some testing.
> 
> Aaron
> 
> -----Original Message-----
> From: Sumit Bose via FreeIPA-users 
> [mailto:freeipa-users@lists.fedorahosted.org] 
> Sent: Friday, 17 November 2017 9:06 PM
> To: freeipa-users@lists.fedorahosted.org
> Cc: Sumit Bose <sb...@redhat.com>
> Subject: [Freeipa-users] Re: Enabling two-factor by host
> 
> On Fri, Nov 17, 2017 at 04:09:01AM +0000, Aaron Hicks via FreeIPA-users wrote:
> > Hello the list,
> > 
> > Is it possible to enable two-factor authentication using Google 
> > Authenticator on FreeIPA on specific hosts or groups of hosts?
> > 
> > Alternatively, are there any recommendations on modifying the Pam 
> > configuration on these 2FA required machines to grab the OTP token from 
> > FreeIPA when a user logs in?
> 
> Please check if authentication indicators is waht you are looking for, see 
> e.g.
> https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indicators/
> for details, look especially for 'Enforcing 2FA on a host principal'.
> 
> HTH
> 
> bye,
> Sumit
> 
> > 
> > Regards,
> > 
> > Aaron
> > 
> > Get Outlook for iOS<https://aka.ms/o0ukef>
> 
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to 
> > freeipa-users-le...@lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
> 
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to