On Tue, 2018-09-11 at 14:10 +1200, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > > > We just had a bit of fuss involved user logins. We're using sssd 1.16.1 on a > client and FreeIPA 4.5.4 (ok, it's really RHIdM) > > > > We had a lot of users having issues logging and/or resetting their passwords > on a host with 2FA enabled, and it turns out when they're using an advanced > SSH client (e.g. MobaXterm) that also starts a SFTP session they can't login > and we see error like: > > > > Sep 11 00:09:05 lander sshd[27408]: pam_sss(sshd:auth): received for user > testuser: 4 (System error) > > Sep 11 00:09:06 lander sshd[27380]: error: PAM: Authentication failure for > testuser from remote.local > > > > If the SFTP file browser is disabled, or it's protocol is set to use SCP > then logins progress normally. > > > > In FreeIPA we've enabled 2FA on a per-host basis and the HBAC rule only > allows sshd services, so if these were the cause of the '4 (System error)' > failures then it'd be much better if the error reports were more meaningful. > > > > Does anyone have any advice on setting up SFTP so that it works (and > ideally, doesn't need repeated entry of credentials).
You should find out if your client supports using a master connection for SSH, instead of trying to open multiple different connection for SSH and SFTP. In the end it is a client issue if it can't properly prompt for credentials when it uses multiple different authenticated connections (I assume this client is caching passwords and trying to resubmit old 2FA codes in the process ? [Caching of password seem already bad in itself if that's the case, how long does it hold onto your creds? will it leak them?]) HTH, Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
