Hello the list,

We just had a bit of fuss involved user logins. We’re using sssd 1.16.1 on a client and FreeIPA 4.5.4 (ok, it’s really RHIdM)

We had a lot of users having issues logging and/or resetting their passwords on a host with 2FA enabled, and it turns out when they’re using an advanced SSH client (e.g. MobaXterm) that also starts a SFTP session they can’t login and we see error like:

Sep 11 00:09:05 lander sshd[27408]: pam_sss(sshd:auth): received for user testuser: 4 (System error)

Sep 11 00:09:06 lander sshd[27380]: error: PAM: Authentication failure for testuser from remote.local

If the SFTP file browser is disabled, or it’s protocol is set to use SCP then logins progress normally.

In FreeIPA we’ve enabled 2FA on a per-host basis and the HBAC rule only allows sshd services, so if these were the cause of the ‘4 (System error)’ failures then it’d be much better if the error reports were more meaningful.

Does anyone have any advice on setting up SFTP so that it works (and ideally, doesn’t need repeated entry of credentials).

Regards,

Aaron