So here is a twist on getting SSH/OTP to work. If I use the web UI and:
1) set user authentication types to "Two factor authentication (password
+ OTP), then set the host I am trying to login to to "password+OTP", it
works.
2) if the user has no authentication types hooked, or has Hardened
Password or Password in addition to the 2FA option hooked, login fails.
Had a look at SSSD logs (with debug level 7) but afraid I cannot spot
any clear issues save "pre authentication failed" if I have any of the
settings mentioned in point 2 above (have tried tracing that but cannot
for the life of me find the reason why).
All I am trying to do is require password+otp for the SSH portion. Sudo
should only require password, not password and otp...
Sorry, but very fresh to FreeIPA so I am certain there is some concept
at play here which I am just not seeing.
On 23/12/2022 20:28, Alexander Bokovoy wrote:
On pe, 23 joulu 2022, Kjell Cornelius Nicolaysen via FreeIPA-users
wrote:
> Hey,
>
>
> So I am trying to implement TOTP+password for SSH on a server. In
> the past its been as simple as using google authenticatior but seeing
> as how we have a shiny FreeIPA server...
>
>
> Created a user, then gave them a TOTP token (synched and tested that
> it works by logging into the web ui). But I'm stuck at the correct
> way to implement this on the SSH server.
> Found the earlier thread[1] and got some pointers.
> sshd config:
>
> ChallengeResponseAuthentication yes
> AuthenticationMethods keyboard-interactive
>
>
> If I do not define password/otp for the host via the IPA web
> interface, login works fine with password. If I set it to
> password/otp only it fails.
>
>
> Looking at journalctl -xeu ssh.service there clearly is some issue.
>
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=192.168.31.102 user=kjell
> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=192.168.31.102 user=kjell
> pam_sss(sshd:auth): received for user kjell: 7 (Authentication failure)
> error: PAM: Authentication failure for kjell from 192.168.31.102
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=192.168.31.102 user=kjell
> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=192.168.31.102 user=kjell
> pam_sss(sshd:auth): received for user kjell: 4 (System error)
> error: PAM: Authentication failure for kjell from 192.168.31.102
> Postponed keyboard-interactive for kjell from 192.168.31.102 port
> 38832 ssh2 [preauth]
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=192.168.31.102 user=kjell
> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=192.168.31.102 user=kjell
> pam_sss(sshd:auth): received for user kjell: 4 (System error)
> error: PAM: Authentication failure for kjell from 192.168.31.102
> Failed keyboard-interactive/pam for kjell from 192.168.31.102 port
> 38832 ssh2
> Connection closed by authenticating user kjell 192.168.31.102 port
> 38832 [preauth]
>
>
> Tried giving my password, and my password+otp (without the '+'). But
> nothing works.
>
> Anyone got any pointers or see any obvious mistakes ?
You get system error from pam_sss. You need to enable debug logging in
SSSD and collect logs. Please see
https://sssd.io/troubleshooting/basics.html for more details.
--
Mvh,
Kjell C. Nicolaysen
Bitfrost AS
PGP Public key available on request.
Current key (at time of this email) fingerprint:
3F59 7410 AFD5 FC22 F2F1 EEC9 980A 8C9E C126 6716