[Freeipa-users] SSH 2FA (password + totp)

[Kjell Cornelius Nicolaysen via FreeIPA-users]

Hey,

So I am trying to implement TOTP+password for SSH on a server. In  the 
past its been as simple as using google authenticatior but seeing as how 
we have a shiny FreeIPA server...


Created a user, then gave them a TOTP token (synched and tested that it 
works by logging into the web ui). But I'm stuck at the correct way to 
implement this on the SSH server.
Found the earlier thread[1] and got some pointers.
sshd config:

ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive


If I do not define password/otp for the host via the IPA web interface, 
login works fine with password. If I set it to password/otp only it fails.


Looking at journalctl -xeu ssh.service there clearly is some issue.

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=192.168.31.102  user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 7 (Authentication failure)
error: PAM: Authentication failure for kjell from 192.168.31.102
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=192.168.31.102  user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Postponed keyboard-interactive for kjell from 192.168.31.102 port 38832 
ssh2 [preauth]
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=192.168.31.102  user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Failed keyboard-interactive/pam for kjell from 192.168.31.102 port 38832 
ssh2
Connection closed by authenticating user kjell 192.168.31.102 port 38832 
[preauth]


Tried giving my password, and my password+otp (without the '+'). But 
nothing works.

Anyone got any pointers or see any obvious mistakes ?

1: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/I2ADJSI47I7R3KOEDBG2PDOHY7GFT4JH/#RKOE6BB6KK2EUSMQM6NF25WX6BTIL5L5

--
Mvh,
Kjell C. Nicolaysen

PGP Public key available on request.
Current key (at time of this email) fingerprint:
3F59 7410 AFD5 FC22 F2F1  EEC9 980A 8C9E C126 6716
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue