On Thu, Sep 22, 2016 at 08:17:21AM +0000, Deepak Dimri wrote: > Hi All, > > > I am trying hard to get my 2FA working with FreeIPA but every effort of mine > going waste! I have referred earlier forum emails but could not find any good > reply on the issue i am facing. > > > This is what i am trying > > > I have a test user created in my IPA server enabled with Two factor > authentication (password + OTP) and has ssh public key added in its profile. > I want this test user to ssh into my ipa client (ubuntu 14.04) using key + > password + OTP. I woudl ceryainly prefer just the key+ OTP only ( no > password) but that seems far sighted as i cannot even make it work with what > it supposed to work password + OTP. > > > My /etc/ssh/sshd_conf file has almost everything default except i added > these two lines at the end of it > > Match Group testusergroup > > AuthenticationMethods publickey,password:pam > publickey,keyboard-interactive:pam > > i also tried with below but no luck > > Match Group testusergroup > > AuthenticationMethods publickey,keyboard-interactive > > > my /etc/pam.d/sshd has these two changes, rest i kept default: > > > # Standard Un*x authentication. > > #@include common-auth > > > auth required pam_sss.so > > > Now when i try to ssh into ipa client i either keep getting promptS for the > password or it gets into a loop asking me to change the password ;complaining > falsely that it has expired. I have tried multiple combinations of > configurations by referring earlier email threads but none i found helpful. I > cant make simple 2FA login to work with freeIPA. Normal password and key > works just fine. its the 2FA which does not work for me. > > > Would really be thankful if some one can help me with this issue.. is there > any good freeIPA 2FA configuration document that i can refer?
Please add debug_level=10 to the [pam] and [domain/...] section of sssd.conf, restart SSSD, re-run the authentication and send the generated debug logs together with your sssd.conf and the full /etc/pam.d/sshd. Please see https://fedorahosted.org/sssd/wiki/Troubleshooting for details. > > What should the steps for it work seamlessly? In general it should work out of the box with SSSD's ipa provider. bye, Sumit > > > Many Thanks, > > Deepak > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project