Just updated to the testing on F23 and sudo does work, but it prompts
for a single password and the single user password work, OTP is not
needed or prompted.

I still need OTP when I login as my user just not on sudo, is that the
correct behavior and if so can that be changed to always require OTP?


On Wed, Mar 23, 2016 at 2:55 PM, Brad Bendy <brad.be...@gmail.com> wrote:
> Ignore what I said earlier :)
> The issue is when I run sudo the lookup appears to still be wanting
> OTP (even though RADIUS is the only box checked for that user), no
> matter what I enter it won't go past that first prompt, the request
> never makes it over to my RADIUS server at all. Standard logins work
> just fine but soon as you try to sudo it wants the "first factor" but
> request never make it to the RADIUS server. Im going to play around
> with some settings, but am I missing something or is there no way to
> forward the sudo request to the same RADIUS server as well?
> Thanks
> On Wed, Mar 23, 2016 at 2:41 PM, Brad Bendy <brad.be...@gmail.com> wrote:
>> I will upgrade a few machines and test this out, I just got done
>> making a script for RADIUS to handle OTP, I didn't see this e-mail
>> till now!
>> If Password + RADIUS are turned on for the user it looks like it's
>> still doing the first factor prompt, if I don't enable the password
>> option then a LDAP (have not tested Kerberos yet) lookup will fail,
>> haven't dug into to see if the account is disabled or what is causing
>> that. Does that sound correct though? My idea was to have FreeIPA
>> proxy to RADIUS and let RADIUS to the LDAP/Kerberos+OTP and then auth
>> that way, I take it that's not going to work?
>> Thanks
>> On Wed, Mar 23, 2016 at 12:09 AM, Lukas Slebodnik <lsleb...@redhat.com> 
>> wrote:
>>> On (22/03/16 10:06), Brad Bendy wrote:
>>>>Im having some issues applying these patches with dependencies. But on
>>>>a side note, this needs to be applied to the client machines as well
>>>>the IPA server itself, correct?
>>> I pushed related sudo patches to fedora yesterday.
>>> They are in updates-testing ATM.
>>> If you want to test packages on el6 or el7
>>> Then backported version of fedora packages are available in
>>> our sssd group copr repo.
>>> https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/
>>> Please report any bugs here or to sssd-users.
>>> LS

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to