Andrey Dudin <dudin.and...@gmail.com> writes: > I trying to use OTP auth in Freeipa but have some problems.
OTP (with RADIUS) works for me. > I have user *test:* > > [root@ipa-centos]# ipa user-show test ... Did you enable --user-auth-type=otp with "ipa config-mod"? I have: [root@freeipa1 log]# ipa config-show --raw ... ipauserauthtype: otp ipauserauthtype: password ipauserauthtype: radius Look at the mouse-over-docs in Webui -> IPA-Server -> Configuration -> User Authentication Types for more info. Otherwise, you need to enable --user-auth-type=otp for your user. I have for RADIUS both password and radius for my OTP user: [root@freeipa1 log]# ipa user-show jochen --raw ... ipauserauthtype: password ipauserauthtype: radius If you need both password and otp, use both --user-auth-type=password and --user-auth-type=otp for "ipa user-mod" or "ipa config-mod". When I do a "su - jochen", I get asked for "First Factor" and "Second Factor", since sssd knows I use RADIUS for OTP. That might be easier to first test that you can authenticate with OTP. > Server with FreeIpa: > > [root@ipa-centos]# ipa host-show ipa-centos.mydomain.com ... > Authentication Indicators: otp Is there a simple way to check on the command line, whether or not an authentication indicator was set when authenticating? I can't remember anything from reading the docs - I expected some option for klist. Jochen -- This space is intentionally left blank. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project