Hi All,

I am trying hard to get my 2FA working with FreeIPA but every effort of mine 
going waste! I have referred earlier forum emails but could not find any good 
reply on the issue i am facing.

This is what i am trying

I have a test user created in my IPA server enabled with Two factor 
authentication (password + OTP) and has ssh public key added in its profile.  I 
want this test user to ssh into my ipa client (ubuntu 14.04) using  key + 
password + OTP. I woudl ceryainly prefer just the key+  OTP only ( no password) 
but that seems far sighted as i cannot even make it work with what it supposed 
to work password + OTP.

My /etc/ssh/sshd_conf file has almost everything default  except i added these 
two lines at the end of it

Match Group testusergroup

   AuthenticationMethods publickey,password:pam 

i also tried with below but no luck

Match Group testusergroup

 AuthenticationMethods publickey,keyboard-interactive

my /etc/pam.d/sshd has these two changes, rest i kept default:

# Standard Un*x authentication.

#@include common-auth

auth required pam_sss.so

Now when i try to ssh into ipa client i either keep getting promptS for the 
password or it gets into a loop asking me to change the password ;complaining 
falsely that it has expired. I have tried multiple combinations of 
configurations by referring earlier email threads but none i found helpful. I 
cant make simple 2FA login to work with freeIPA. Normal password and key works 
just fine. its the 2FA which does not work for me.

Would really be thankful if some one can help me with this issue.. is there any 
good freeIPA 2FA configuration document that i can refer?

What should the steps for it work seamlessly?

Many Thanks,


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to