I was able to set this up in a Fedora instance with SSSD and it works as
expected. SSHD first uses the public key and then prompts for password
which is ofcourse password+OTP.

However, having a user enter the password+OTP every time he logs in during
the day is kind of inconvenient. Is it possible to make sure the user has
to login once and the credentials are cached for say 12/24 hours. I know
this is possible just using the password. Question is, is this possible
using password+OTP?


On 27 June 2015 at 13:06, Prashant Bapat <prash...@apigee.com> wrote:

> Aah ok !
> Unfortunately I'm using Amazon Linux and it does not support SSSD. I ended
> up using nss-pam-ldap, nscd and nslcd.
> However this looks promising. Only for the servers exposed to Internet I
> could use CentOS/Fedora and this method of authentication. Let me try this
> and come back to you.
> Thanks.
> --Prashant
> On 27 June 2015 at 10:17, Alexander Bokovoy <aboko...@redhat.com> wrote:
>> ----- Original Message -----
>> > Hi ,
>> >
>> > I'm exploring implementing a 2FA solution to my servers exposed to
>> public.
>> > Mainly to secure SSH with 2FA. The SSH keys and users are already in
>> > FreeIPA.
>> >
>> > Is there a way to utilize the OTP inside FreeIPA during a user login to
>> these
>> > servers ? A user will have to enter the TOTP code bases on whats
>> configured
>> > in FreeIPA. Something along the lines of
>> > https://github.com/google/google-authenticator/tree/master/libpam
>> If you are using SSSD (pam_sss), it will automatically accept 2FA.
>> You need to force OpenSSH to combine authentication methods, something
>> like:
>> AuthenticationMethods publickey,password:pam
>> publickey,keyboard-interactive:pam
>> Look into sshd_config manual page for details. This is feature of OpenSSH
>> 6.2 or later.
>> --
>> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to