Hello the list,
We just had a bit of fuss involved user logins. We're using sssd 1.16.1 on a
client and FreeIPA 4.5.4 (ok, it's really RHIdM)
We had a lot of users having issues logging and/or resetting their passwords
on a host with 2FA enabled, and it turns out when they're using an advanced
SSH client (e.g. MobaXterm) that also starts a SFTP session they can't login
and we see error like:
Sep 11 00:09:05 lander sshd[27408]: pam_sss(sshd:auth): received for user
testuser: 4 (System error)
Sep 11 00:09:06 lander sshd[27380]: error: PAM: Authentication failure for
testuser from remote.local
If the SFTP file browser is disabled, or it's protocol is set to use SCP
then logins progress normally.
In FreeIPA we've enabled 2FA on a per-host basis and the HBAC rule only
allows sshd services, so if these were the cause of the '4 (System error)'
failures then it'd be much better if the error reports were more meaningful.
Does anyone have any advice on setting up SFTP so that it works (and
ideally, doesn't need repeated entry of credentials).
Regards,
Aaron