Hello the List,

 

A couple of new things to this problem, when a user has an expired password
and a valid OTP token, the password reset process is broken on all machines
at the ssh prompt. Even the ones that do not require 2FA.

 

Feedback so far form Sumit indicates this is incorrect behaviour.

 

As an attempt to get around this, I've tried adding a permission to the
helpdesk role that would allow them to manage OTP tokens. I'll submit
another thread on that.

 

Regards,

 

Aaron

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Thursday, 23 November 2017 6:31 AM
To: Sumit Bose <sb...@redhat.com>
Cc: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org>; 'Sumit
Bose' <sb...@redhat.com>
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token

 

Hi Sumit,

 

I sent those to you directly as I wasn't comfortable posting them to the
list.

 

Regards,

 

Aaron

 

Get Outlook for iOS <https://aka.ms/o0ukef> 

  _____  

From: Sumit Bose <sb...@redhat.com <mailto:sb...@redhat.com> >
Sent: Wednesday, November 22, 2017 10:19:34 PM
To: Aaron Hicks
Cc: 'FreeIPA users list'; 'Sumit Bose'
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token 

 

On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote:
> Hi Sumit,
> 
> Here is /etc/pam.d/password-auth I missed that it was an include, an that
you wanted it too, again it's as installed bt CentOS 7.4 and
ipa-client-install
> 

ok, the PAM configuration looks good. Can you send me the PAM related
messages form /var/log/secure or the journal which cover the failed
attempt? And additionally the SSSD logs with debug_level=9 from the same
time. Most important would be sssd_pam.log, sssd_domain.name.log and
krb5_child-log.

bye,
Sumit

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to