on server side, ipauserauthtype set as password + otp. [root@xxxxxx /]# ipa user-show ereen-test --raw | grep ipauserauthtype ipauserauthtype: password ipauserauthtype: otp
And I added new configuration in /etc/ssh/sshd_config on my host which is ipa client is installed. GSSAPIAuthentication yes
And /etc/sssd/sssd.conf [prompting/password/sshd] password_prompt = password : [prompting/2fa/sshd] first_prompt = first pwd : second_prompt = second otp :
But all the time, when I try ssh login with ereen-test, the prompt asks "password :" I expect 2 factor asking as I configured like below first_prompt : second_prompt :
Is there other configuration should I set more ?
Am Mon, May 20, 2024 at 06:32:31AM -0000 schrieb seojeong kim via FreeIPA-users:
on server side, ipauserauthtype set as password + otp. [root@xxxxxx /]# ipa user-show ereen-test --raw | grep ipauserauthtype ipauserauthtype: password ipauserauthtype: otp
And I added new configuration in /etc/ssh/sshd_config on my host which is ipa client is installed. GSSAPIAuthentication yes
Hi,
'GSSAPIAuthentication' is not needed there, this is for Kerberos/GSSAPI base authentication. You should make sure that 'KbdInteractiveAuthentication' (or 'ChallengeResponseAuthentication' for older versions) is allowed.
And /etc/sssd/sssd.conf [prompting/password/sshd] password_prompt = password : [prompting/2fa/sshd] first_prompt = first pwd : second_prompt = second otp :
But all the time, when I try ssh login with ereen-test, the prompt asks "password :" I expect 2 factor asking as I configured like below first_prompt : second_prompt :
Is there other configuration should I set more ?
Additionally you should check your PAM configuration. The 'pam_sss.so' module should be the first to ask the IPA users for the password in the 'auth' block, otherwise other modules might just ask for 'Password'.
HTH
bye, Sumit
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
IPA offline authentication mode doesn't work when sssd.conf has sing_prompt = True for ipauserauthtype=otp user? When I have a test, ipauserauthtype = otp.
singple_prompt = False, first_factor = pwd : second_factor = otp :
offline authentication works with above configuration but, when I set Single_prompt = True, offline authentication doesn't work.
On Пан, 27 мая 2024, seojeong kim via FreeIPA-users wrote:
IPA offline authentication mode doesn't work when sssd.conf has sing_prompt = True for ipauserauthtype=otp user? When I have a test, ipauserauthtype = otp.
singple_prompt = False, first_factor = pwd : second_factor = otp :
offline authentication works with above configuration but, when I set Single_prompt = True, offline authentication doesn't work.
That is expected. Offline authentication works by storing a hashed version of a password locally and then comparing hashed version of an entered password against this hash. As a result, when you use a single prompt, there is no separate password to hash, the whole pin+token sequence is hashed. Since token value changes each time, it will never match the stored hashed version.
If you want offline authentication to work in such case, you have to give up single prompting.
For offline authentication mode, I have to give up single prompting. then,, I should get pwd and otp seperately. 2fa user / 2 factor input separately,
Can I use sshpass ? As I research , I can't find any way to convey pwd and otp seperately by using sshpass.
On Пан, 27 мая 2024, seojeong kim via FreeIPA-users wrote:
For offline authentication mode, I have to give up single prompting. then,, I should get pwd and otp seperately. 2fa user / 2 factor input separately,
Can I use sshpass ? As I research , I can't find any way to convey pwd and otp seperately by using sshpass.
I don't think you'd be able to use sshpass without modifications. sshpass does not take into account multiple prompts.
You probably best to switch to GSSAPI authentication instead: obtain a Kerberos ticket to this user locally and then use that ticket to authenticate to your SSH server.
Another alternative is to use SSH keys.
/etc/sssd/sssd.conf [sssd] reconnection_retries = 0 config_file_version = 2 services = nss, sudo, pam, ssh domains = example.com [nss] homedir_substring = /home [pam] #debug_level = 10 [sudo] #debug_level = 7 [autofs] [ssh] [pac] [ifp] [secrets] [session_recording] [prompting/password] password_prompt = Password : [prompting/2fa] single_prompt = False first_prompt = 2fa_Password : second_prompt = 2fa_Otp :
For the user whose ipauserauthtype is 'otp', when sssd_be is online, two prompt inputs work. I should put password / otp separately. But when sssd_be if offline, there is only one prompt like 'Password :" I wonder why it works like this way, Is there is any way to get two prompt asking separately in offline mode as well?
On Пят, 31 мая 2024, seojeong kim via FreeIPA-users wrote:
/etc/sssd/sssd.conf [sssd] reconnection_retries = 0 config_file_version = 2 services = nss, sudo, pam, ssh domains = example.com [nss] homedir_substring = /home [pam] #debug_level = 10 [sudo] #debug_level = 7 [autofs] [ssh] [pac] [ifp] [secrets] [session_recording] [prompting/password] password_prompt = Password : [prompting/2fa] single_prompt = False first_prompt = 2fa_Password : second_prompt = 2fa_Otp :
For the user whose ipauserauthtype is 'otp', when sssd_be is online, two prompt inputs work. I should put password / otp separately. But when sssd_be if offline, there is only one prompt like 'Password :" I wonder why it works like this way,
You keep asking the same question while you've got answers on it already in this thread. Also, please keep the context and quote an email you are answering to.
Is there is any way to get two prompt asking separately in offline mode as well?
No.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
seojeong kim -
Sumit Bose