So here is a twist on getting SSH/OTP to work. If I use the web UI and:
1) set user authentication types to "Two factor authentication (password
+ OTP), then set the host I am trying to login to to "password+OTP", it
works.
2) if the user has no authentication types hooked, or has Hardened
Password or Password in addition to the 2FA option hooked, login fails.
Had a look at SSSD logs (with debug level 7) but afraid I cannot spot
any clear issues save "pre authentication failed" if I have any of the
settings mentioned in point 2 above (have tried tracing that but cannot
for the life of me find the reason why).
All I am trying to do is require password+otp for the SSH portion. Sudo
should only require password, not password and otp...
Sorry, but very fresh to FreeIPA so I am certain there is some concept
at play here which I am just not seeing.
On 23/12/2022 20:28, Alexander Bokovoy wrote:
On pe, 23 joulu 2022, Kjell Cornelius Nicolaysen via FreeIPA-users wrote:
Hey,
So I am trying to implement TOTP+password for SSH on a server. In
the past its been as simple as using google authenticatior but seeing
as how we have a shiny FreeIPA server...
Created a user, then gave them a TOTP token (synched and tested that
it works by logging into the web ui). But I'm stuck at the correct
way to implement this on the SSH server.
Found the earlier thread[1] and got some pointers.
sshd config:
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive
If I do not define password/otp for the host via the IPA web
interface, login works fine with password. If I set it to
password/otp only it fails.
Looking at journalctl -xeu ssh.service there clearly is some issue.
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 7 (Authentication failure)
error: PAM: Authentication failure for kjell from 192.168.31.102
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Postponed keyboard-interactive for kjell from 192.168.31.102 port
38832 ssh2 [preauth]
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Failed keyboard-interactive/pam for kjell from 192.168.31.102 port
38832 ssh2
Connection closed by authenticating user kjell 192.168.31.102 port
38832 [preauth]
Tried giving my password, and my password+otp (without the '+'). But
nothing works.
Anyone got any pointers or see any obvious mistakes ?
You get system error from pam_sss. You need to enable debug logging in
SSSD and collect logs. Please see
https://sssd.io/troubleshooting/basics.html for more details.
--
Mvh,
Kjell C. Nicolaysen
Bitfrost AS
PGP Public key available on request.
Current key (at time of this email) fingerprint:
3F59 7410 AFD5 FC22 F2F1 EEC9 980A 8C9E C126 6716
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
