Hi Alexander,  I am using AWS to do a pilot on freeIPA & unfortunately AWS does 
not provide fedora or centos as part of its freetier setup so i have to live 
with ubuntu, redhat , suse etc.  I have same problem with ubuntu and redhat 
though!


Just one basic question.. what are the steps i should be following to make it 
work assuming i am trying on centos or fedora


regards,

Deepak





________________________________
From: Alexander Bokovoy <aboko...@redhat.com>
Sent: Friday, September 23, 2016 3:25 AM
To: Deepak Dimri
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working

On Fri, 23 Sep 2016, Deepak Dimri wrote:
>
>Hi All,
>
>
>I am trying hard to get my 2FA working with FreeIPA but every effort of
>mine going waste! I have referred earlier forum emails but could not
>find any good reply on the issue i am facing.
>
>
>This is what i am trying
>
>
>I have a test user created in my IPA server enabled with Two factor
>authentication (password + OTP) and has ssh public key added in its
>profile.  I want this test user to ssh into my ipa client (ubuntu
>14.04) using  key + password + OTP. I woudl ceryainly prefer just the
>key+  OTP only ( no password) but that seems far sighted as i cannot
>even make it work with what it supposed to work password + OTP.
Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the
platforms where we know it works for sure (for me, at least).

This would allow us to reduce problem space to the client side.

>My /etc/ssh/sshd_conf file has almost everything default  except i
>added these two lines at the end of it
>
>Match Group testusergroup
>
>   AuthenticationMethods publickey,password:pam 
> publickey,keyboard-interactive:pam
>
>i also tried with below but no luck
>
>Match Group testusergroup
>
> AuthenticationMethods publickey,keyboard-interactive
>
>
>my /etc/pam.d/sshd has these two changes, rest i kept default:
>
>
># Standard Un*x authentication.
>
>#@include common-auth
>
>
>auth required pam_sss.so
>
>
>Now when i try to ssh into ipa client i either keep getting promptS for
>the password or it gets into a loop asking me to change the password
>;complaining falsely that it has expired. I have tried multiple
>combinations of configurations by referring earlier email threads but
>none i found helpful. I cant make simple 2FA login to work with
>freeIPA. Normal password and key works just fine. its the 2FA which
>does not work for me.
>
>
>Would really be thankful if some one can help me with this issue.. is
>there any good freeIPA 2FA configuration document that i can refer?
>
>What should the steps for it work seamlessly?
>
>
>Many Thanks,
>
>Deepak
>

>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users Info Page - Red 
Hat<https://www.redhat.com/mailman/listinfo/freeipa-users>
www.redhat.com
Freeipa-users -- List dedicated to discussions about use, configuration and 
deployment of the IPA server. About Freeipa-users



>Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to