On Tue, Nov 27, 2018 at 01:34:25PM +0100, Winfried de Heiden wrote:
Hi all,
I tried this as well, created a user for which otp and password is both allowe
to enforce OTP login on certain hosts but sudo without otp:
Enforcing 2FA for a host currently means enforcing it for all services
which are handled by SSSD via PAM including sudo.
bye,
Sumit
ipa user-show winfried
User login: winfried
First name: Winfried
Last name: de Heiden
Home directory: /home/winfried
Login shell: /bin/bash
Principal name: winfried@IPA.EXAMPLE.LOCAL
Principal alias: winfried@IPA.EXAMPLE.LOCAL
Email address: winfried@ipa.example.local
UID: 100018
GID: 100018
User authentication types: password, otp
Account disabled: False
Password: True
Member of groups: ipausers
Member of Sudo rule: reboot
Member of HBAC rule: freeipa-clientxx
Kerberos keys available: True
The host indeed will force otp upon login:
[winfried@freeipa-client03 ~]$ ipa host-show $(hostname)
Host name: freeipa-client03.ipa.example.local
Principal name: host/freeipa-client03.ipa.example.local@IPA.EXAMPLE.LOCAL
Principal alias: host/freeipa-client03.ipa.example.local@IPA.EXAMPLE.LOCAL
SSH public key fingerprint:
SHA256:a03P2T5BqumEXarmQlZxqD9VNIw6l9VTSXkhRp3wKo8 (ssh-rsa),
SHA256:PlV7LeKRipRw5Fild77ENuazjUWhEIQbwxACegdj+34 (ecdsa-sha2-nistp256),
SHA256:DiPQ/
EXr+w4ZSvCZBkdddGGYcJuITR64uIaMSbr0o0s (ssh-ed25519)
Authentication Indicators: otp
Password: False
Member of Sudo rule: reboot
Member of HBAC rule: freeipa-clientxx
Keytab: True
Managed by: freeipa-client03.ipa.example.local
However, leaving the second empty, sudo will fail:
sudo -l
First Factor:
Second Factor (optional):
Sorry, try again.
First Factor:
Second Factor (optional):
Sorry, try again.
First Factor:
Second Factor (optional):
sudo: 3 incorrect password attempts
Both IPA-server and client are running on CentOS 7.5.
Op 23-03-18 om 09:32 schreef Sumit Bose via FreeIPA-users:
On Thu, Mar 22, 2018 at 10:28:17AM -0700, Sean Hogan via FreeIPA-users wrote:
Hello,
We are implementing OTP for a new deployment and we can log in with the
otp codes however when trying to sudo it fails. We would like to use the
2fa to log in but single factor is ok for sudo escalation. Is OTP supposed
You have to allow on the server that the user can use both 1FA
(password) or 2FA, see --user-auth-type option of 'ipa user-add'.
To force 2FA at the log in you have to define on the server that the
host requires the 'OTP' authentication indicator, see --auth-ind option
of 'ipa host-mod'
HTH
bye,
Sumit
to be getting involved when issuing sudo commands?
bob@ipa-client1$ sudo cat /etc/resolv.conf
First Factor:
Second Factor:
Sorry, try again.
First Factor:
sudo: 1 incorrect password attempt
ipa-server-dns-4.5.0-21.el7_4.2.2.noarch
python-libipa_hbac-1.15.2-50.el7_4.6.x86_64
python-ipaddress-1.0.16-2.el7.noarch
ipa-common-4.5.0-21.el7_4.2.2.noarch
ipa-client-common-4.5.0-21.el7_4.2.2.noarch
python2-ipalib-4.5.0-21.el7_4.2.2.noarch
ipa-server-common-4.5.0-21.el7_4.2.2.noarch
ipa-client-4.5.0-21.el7_4.2.2.x86_64
libipa_hbac-1.15.2-50.el7_4.6.x86_64
python2-ipaclient-4.5.0-21.el7_4.2.2.noarch
python2-ipaserver-4.5.0-21.el7_4.2.2.noarch
sssd-ipa-1.15.2-50.el7_4.6.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-server-4.5.0-21.el7_4.2.2.x86_64
Sean Hogan
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org