[Freeipa-users] Re: How to make ipa root certificate available system wide

Well that’s the thing, I didn’t realize the service certificate was revoked as I thought the entire point of validating the client cert was to validate the entire “chain” with OCSP. Im using IPAs internal cert system. Yeah, I kept reissueing tickets when I was trying to get the post command

[Freeipa-users] Re: Internal vs External CA

I tried attaching the files to my reply but that was rejected. So what is the best way to share them with you? On Tue, Oct 15, 2019 at 3:32 PM Rob Crittenden wrote: > Kristian Petersen via FreeIPA-users wrote: > > They aren't in one file. But the server cert's issuer is the subject of > > the

[Freeipa-users] Re: Internal vs External CA

I have attached the files to this response. On Tue, Oct 15, 2019 at 3:32 PM Rob Crittenden wrote: > Kristian Petersen via FreeIPA-users wrote: > > They aren't in one file. But the server cert's issuer is the subject of > > the DigiCert.crt file. I have already tried adding just the > >

[Freeipa-users] Re: Internal vs External CA

Kristian Petersen via FreeIPA-users wrote: > They aren't in one file.  But the server cert's issuer is the subject of > the DigiCert.crt file.  I have already tried adding just the > Digicert.crt file only to have it tell me it's Peer's Certificate isn't > trusted.  I don't even know what

[Freeipa-users] Re: SSH Hostbased Authentication with FreeIPA

On 15 Oct 2019, at 17:49, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Vinícius Ferrão wrote: Hi Rob On 15 Oct 2019, at 10:22, Rob Crittenden mailto:rcrit...@redhat.com> > wrote: Vinícius Ferrão via FreeIPA-users wrote: Hello, I’m trying to implement SSH

[Freeipa-users] Re: SSH Hostbased Authentication with FreeIPA

Vinícius Ferrão wrote: > Hi Rob > >> On 15 Oct 2019, at 10:22, Rob Crittenden > > wrote: >> >> Vinícius Ferrão via FreeIPA-users wrote: >>> Hello, >>> >>> I’m trying to implement SSH Hostbased Authentication between IPA >>> joined machines but I’m with difficulties

[Freeipa-users] Re: SSH Hostbased Authentication with FreeIPA

Hi Rob On 15 Oct 2019, at 10:22, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Vinícius Ferrão via FreeIPA-users wrote: Hello, I’m trying to implement SSH Hostbased Authentication between IPA joined machines but I’m with difficulties regarding: * The /etc/ssh/ssh_known_hosts file. In a

[Freeipa-users] MFA authentication for some service only?

Hi, I ran some tests and was able to enable multi-factor authentication.  What I have is a Fortinet firewall hooks up to LDAP on FreeIPA for VPN login.   By turning on MFA for an user, when the user SSH to a Linux host, the MFA is required also.   Is there anyway to have MFA on VPN but not on

[Freeipa-users] Re: Internal vs External CA

They aren't in one file. But the server cert's issuer is the subject of the DigiCert.crt file. I have already tried adding just the Digicert.crt file only to have it tell me it's Peer's Certificate isn't trusted. I don't even know what certificate that is talking about. On Tue, Oct 15, 2019 at

[Freeipa-users] Re: Internal vs External CA

Kristian Petersen wrote: > Rob, > > After investigating the certs as you had suggested, I do have the whole > chain.  The server cert has as its issuer: > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com > , CN = DigiCert SHA2 High Assurance Server CA > > And the

[Freeipa-users] Re: SSH Hostbased Authentication with FreeIPA

Vinícius Ferrão via FreeIPA-users wrote: > Hello, > > I’m trying to implement SSH Hostbased Authentication between IPA joined > machines but I’m with difficulties regarding: > > * The /etc/ssh/ssh_known_hosts file. > > In a FreeIPA environment the known_hosts are stored on IPA, and I’m

[Freeipa-users] Re: Ipa user can't login via ssh

Please keep freeipa-users in the responses. Elhamsadat Azarian wrote: > Hi Rob > I did it and i got this answer: > > Access granted : false > > What can i do now? IPA ships with a default HBAC rule, allow_all, which allows all users to authenticate on all hosts. I can only assume you've