Am Mon, May 20, 2024 at 06:32:31AM -0000 schrieb seojeong kim via FreeIPA-users:
on server side, ipauserauthtype set as password + otp. [root@xxxxxx /]# ipa user-show ereen-test --raw | grep ipauserauthtype ipauserauthtype: password ipauserauthtype: otp
And I added new configuration in /etc/ssh/sshd_config on my host which is ipa client is installed. GSSAPIAuthentication yes
Hi,
'GSSAPIAuthentication' is not needed there, this is for Kerberos/GSSAPI base authentication. You should make sure that 'KbdInteractiveAuthentication' (or 'ChallengeResponseAuthentication' for older versions) is allowed.
And /etc/sssd/sssd.conf [prompting/password/sshd] password_prompt = password : [prompting/2fa/sshd] first_prompt = first pwd : second_prompt = second otp :
But all the time, when I try ssh login with ereen-test, the prompt asks "password :" I expect 2 factor asking as I configured like below first_prompt : second_prompt :
Is there other configuration should I set more ?
Additionally you should check your PAM configuration. The 'pam_sss.so' module should be the first to ask the IPA users for the password in the 'auth' block, otherwise other modules might just ask for 'Password'.
HTH
bye, Sumit
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue