On pe, 18 tammi 2019, Chris Herdt via FreeIPA-users wrote:
>I'd seen previous posts (now a few years old) on enabling per-host 2-factor
>authentication with FreeIPA. I'm using FreeIPA 4.6.4 on CentOS 7. I
>followed what I think are the correct steps to enable 2FA on a specific
>host, but the behavior is a little strange:
>
>User A: enable both Password and Two factor authentication (password +
>OTP), and configure a OTP.
>
>User B: enable just the Password option.
>
>Host A: select "otp" under Authentication indicators, ensure the following
>lines are present in /etc/ssh/sshd_config and restart sshd:
>ChallengeResponseAuthentication yes
>AuthenticationMethods keyboard-interactive
>
>Host B: make no changes to Authentication indicators (none selected), make
>the same changes as above to sshd_config.
>
>After these changes:
>
>User A -> Host A
>The user sees the following prompts:
>
>First Factor:
>Second Factor (optional):
>
>However, the second factor is required (as expected) and the login fails
>without it.
>
>User A -> Host B
>The user gets the same prompt as above, but the second factor is actually
>optional, and the login succeeds without supplying any value.
>
>User B -> Host A
>The user gets a regular password prompt, but cannot log in using the
>correct password (as expected, since a OTP is required).
>
>User B -> Host B
>The user gets a regular password prompt and can log in as expected.
>
>Everything is working more-or-less as expected, but the "Second Factor
>(optional)" prompt is a little confusing, particularly in cases where it is
>required. Is this due to my specific configuration (or mis-configuration)
>or is this the expected behavior?
That's hard-coded in SSSD.
https://pagure.io/SSSD/sssd/issue/3264
Thanks! Good to know, I appreciate the info.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland