And sorry Alexander, to your question it is a server so it all makes sense.
On Mon, 20 Mar 2023 at 17:18, David Harvey <[email protected]> wrote: > Thank you both for the swift response. I totally missed the note on it > being disabled for servers. > Is there any official advice instead on hardening access to IPA servers > due to their sensitivity? > I guess there's always restricting the HBAC to allow accounts which have > password + otp and not password only enabled... > > On Mon, 20 Mar 2023 at 17:05, Rob Crittenden <[email protected]> wrote: > >> Alexander Bokovoy via FreeIPA-users wrote: >> > On ma, 20 maalis 2023, David Harvey via FreeIPA-users wrote: >> >> Hi there, >> >> >> >> When I try and re-enable TOTP for a host auth indicator I receive >> >> "invalid 'krbprincipalauthind': authentication indicators not allowed >> in >> >> service "host"" >> >> Running FreeIPA 4.9.10 on Rocky. >> >> >> >> I'm having some issues working out the current methods of OTP >> enforcement >> >> for SSH interactive as a login method. I've had a look through >> >> >> https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html >> >> >> >> but am still stuck. >> >> >> >> I previously had a host configured (on its own details page) as >> requiring >> >> password and otp as auth indicators. This was a little buggy in that >> the >> >> GUI didn't display it after setting it, but did require an OTP on >> logging >> >> in with SSH and was reflected byt the krbPrincipalAuthInd attr being >> set. >> >> [image: image.png] >> >> I cleared this for the host for $reasons - resulting in the attrs being >> >> removed, and now if I try and re-enable I get: >> >> >> >> [image: image.png] >> >> >> >> Following that clue and those from other posts, I've been looking at >> the >> >> services auth indicators as where to set instead, but as ssh or login >> >> don't >> >> have services I can't work out how I am supposed to achieve this now? >> > >> > Is this system an IPA server or a client? For IPA servers we prevent >> > adding authentication indicators for the reasons described in the >> > workshop chapter you reference. The check is done by seeing if this >> > server's hostname is returned by 'ipa server-find' command. >> >> Per ticket https://pagure.io/freeipa/issue/8206 >> >> rob >> >> > >> > You can modify 'krbprincipalauthind' LDAP attribute directly with >> > ldapmodify to unstuck. >> > >> > >> > >> >>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
