And sorry Alexander, to your question it is a server so it all makes sense.

On Mon, 20 Mar 2023 at 17:18, David Harvey <[email protected]>
wrote:

> Thank you both for the swift response. I totally missed the note on it
> being disabled for servers.
> Is there any official advice instead on hardening access to IPA servers
> due to their sensitivity?
> I guess there's always restricting the HBAC to allow accounts which have
> password + otp and not password only enabled...
>
> On Mon, 20 Mar 2023 at 17:05, Rob Crittenden <[email protected]> wrote:
>
>> Alexander Bokovoy via FreeIPA-users wrote:
>> > On ma, 20 maalis 2023, David Harvey via FreeIPA-users wrote:
>> >> Hi there,
>> >>
>> >> When I try and re-enable TOTP for a host auth indicator I receive
>> >> "invalid 'krbprincipalauthind': authentication indicators not allowed
>> in
>> >> service "host""
>> >> Running FreeIPA 4.9.10 on Rocky.
>> >>
>> >> I'm having some issues working out the current methods of OTP
>> enforcement
>> >> for SSH interactive as a login method. I've had a look through
>> >>
>> https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html
>> >>
>> >> but am still stuck.
>> >>
>> >> I previously had a host configured (on its own details page) as
>> requiring
>> >> password and otp as auth indicators. This was a little buggy in that
>> the
>> >> GUI didn't display it after setting it, but did require an OTP on
>> logging
>> >> in with SSH and was reflected byt the krbPrincipalAuthInd attr being
>> set.
>> >> [image: image.png]
>> >> I cleared this for the host for $reasons - resulting in the attrs being
>> >> removed, and now if I try and re-enable I get:
>> >>
>> >> [image: image.png]
>> >>
>> >> Following that clue and those from other posts, I've been looking at
>> the
>> >> services auth indicators as where to set instead, but as ssh or login
>> >> don't
>> >> have services I can't work out how I am supposed to achieve this now?
>> >
>> > Is this system an IPA server or a client? For IPA servers we prevent
>> > adding authentication indicators for the reasons described in the
>> > workshop chapter you reference. The check is done by seeing if this
>> > server's hostname is returned by 'ipa server-find' command.
>>
>> Per ticket https://pagure.io/freeipa/issue/8206
>>
>> rob
>>
>> >
>> > You can modify 'krbprincipalauthind' LDAP attribute directly with
>> > ldapmodify to unstuck.
>> >
>> >
>> >
>>
>>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to