I'd seen previous posts (now a few years old) on enabling per-host 2-factor authentication with FreeIPA. I'm using FreeIPA 4.6.4 on CentOS 7. I followed what I think are the correct steps to enable 2FA on a specific host, but the behavior is a little strange:
User A: enable both Password and Two factor authentication (password + OTP), and configure a OTP. User B: enable just the Password option. Host A: select "otp" under Authentication indicators, ensure the following lines are present in /etc/ssh/sshd_config and restart sshd: ChallengeResponseAuthentication yes AuthenticationMethods keyboard-interactive Host B: make no changes to Authentication indicators (none selected), make the same changes as above to sshd_config. After these changes: User A -> Host A The user sees the following prompts: First Factor: Second Factor (optional): However, the second factor is required (as expected) and the login fails without it. User A -> Host B The user gets the same prompt as above, but the second factor is actually optional, and the login succeeds without supplying any value. User B -> Host A The user gets a regular password prompt, but cannot log in using the correct password (as expected, since a OTP is required). User B -> Host B The user gets a regular password prompt and can log in as expected. Everything is working more-or-less as expected, but the "Second Factor (optional)" prompt is a little confusing, particularly in cases where it is required. Is this due to my specific configuration (or mis-configuration) or is this the expected behavior?
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
