8:32 a.m.
Hey,
So I am trying to implement TOTP+password for SSH on a server. In the
past its been as simple as using google authenticatior but seeing as how
we have a shiny FreeIPA server...
Created a user, then gave them a TOTP token (synched and tested that it
works by logging into the web ui). But I'm stuck at the correct way to
implement this on the SSH server.
Found the earlier thread[1] and got some pointers.
sshd config:
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive
If I do not define password/otp for the host via the IPA web interface,
login works fine with password. If I set it to password/otp only it fails.
Looking at journalctl -xeu ssh.service there clearly is some issue.
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 7 (Authentication failure)
error: PAM: Authentication failure for kjell from 192.168.31.102
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Postponed keyboard-interactive for kjell from 192.168.31.102 port 38832
ssh2 [preauth]
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Failed keyboard-interactive/pam for kjell from 192.168.31.102 port 38832
ssh2
Connection closed by authenticating user kjell 192.168.31.102 port 38832
[preauth]
Tried giving my password, and my password+otp (without the '+'). But
nothing works.
Anyone got any pointers or see any obvious mistakes ?
1:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
--
Mvh,
Kjell C. Nicolaysen
PGP Public key available on request.
Current key (at time of this email) fingerprint:
3F59 7410 AFD5 FC22 F2F1 EEC9 980A 8C9E C126 6716