Am Wed, Oct 23, 2024 at 12:58:08PM -0000 schrieb Damiano Giuliani via FreeIPA-users: > Hi guys, > > im facing a strange behaviour about freeipa OTP, > > we installed freeipa 4.11 on RockyLinux 9.4 and configure all user to > authenticate using OTP which is working fine except for this behaviour: > when a user connect using ssh using hostname to the first client (ssh > user@hostname1), freeipa correclty asks for 2FA, then once logged in, if i > ssh to a second server using hostname (ssh user@hostname2) it doesnt ask me > any 2FA, instead if i use the ip (ssh user@ip_of_hostname2) it asks me it. > > it's a strange behaviour, shouldnt it ask always 2FA? > > can u guys enlight me and help to make freeipa ask always 2fa for each ssh?
Hi, you most probably have GSSAPIAuthentication enable in sshd. The first login will give you a Kerberos ticket which is used for GSSAPIAuthentication to the second host as long as you use the fully-qualified name of the host. If you use the IP address to connect to the second host GSSAPIAuthentication will most probably fail because Kerberos/GSSAPI needs the fully-qualified name to find the required keys and as a result ssh will fall back to other authentication methods and will prompt you for the two factors. HTH bye, Sumit > > thanks > > Damiano > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
