On Fri, 23 Sep 2016, Deepak Dimri wrote:
Hi Alexander,


I  somehow manage to try it on fedora and it did work fine for me..


Now is there any way i can restrict the login to OTP only? and not password + 
OTP?
No, this is not supported. OTP value only is not secure enough (6 digits
by default, really low entropy).



Best Regards,

Deepak


________________________________
From: Alexander Bokovoy <aboko...@redhat.com>
Sent: Friday, September 23, 2016 3:25 AM
To: Deepak Dimri
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working

On Fri, 23 Sep 2016, Deepak Dimri wrote:

Hi All,


I am trying hard to get my 2FA working with FreeIPA but every effort of
mine going waste! I have referred earlier forum emails but could not
find any good reply on the issue i am facing.


This is what i am trying


I have a test user created in my IPA server enabled with Two factor
authentication (password + OTP) and has ssh public key added in its
profile.  I want this test user to ssh into my ipa client (ubuntu
14.04) using  key + password + OTP. I woudl ceryainly prefer just the
key+  OTP only ( no password) but that seems far sighted as i cannot
even make it work with what it supposed to work password + OTP.
Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the
platforms where we know it works for sure (for me, at least).

This would allow us to reduce problem space to the client side.

My /etc/ssh/sshd_conf file has almost everything default  except i
added these two lines at the end of it

Match Group testusergroup

  AuthenticationMethods publickey,password:pam 
publickey,keyboard-interactive:pam

i also tried with below but no luck

Match Group testusergroup

AuthenticationMethods publickey,keyboard-interactive


my /etc/pam.d/sshd has these two changes, rest i kept default:


# Standard Un*x authentication.

#@include common-auth


auth required pam_sss.so


Now when i try to ssh into ipa client i either keep getting promptS for
the password or it gets into a loop asking me to change the password
;complaining falsely that it has expired. I have tried multiple
combinations of configurations by referring earlier email threads but
none i found helpful. I cant make simple 2FA login to work with
freeIPA. Normal password and key works just fine. its the 2FA which
does not work for me.


Would really be thankful if some one can help me with this issue.. is
there any good freeIPA 2FA configuration document that i can refer?

What should the steps for it work seamlessly?


Many Thanks,

Deepak


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users Info Page - Red 
Hat<https://www.redhat.com/mailman/listinfo/freeipa-users>
www.redhat.com
Freeipa-users -- List dedicated to discussions about use, configuration and 
deployment of the IPA server. About Freeipa-users



Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to