I'd seen previous posts (now a few years old) on enabling per-host 2-factor
authentication with FreeIPA. I'm using FreeIPA 4.6.4 on CentOS 7. I
followed what I think are the correct steps to enable 2FA on a specific
host, but the behavior is a little strange:
User A: enable both Password and Two factor authentication (password +
OTP), and configure a OTP.
User B: enable just the Password option.
Host A: select "otp" under Authentication indicators, ensure the following
lines are present in /etc/ssh/sshd_config and restart sshd:
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive
Host B: make no changes to Authentication indicators (none selected), make
the same changes as above to sshd_config.
After these changes:
User A -> Host A
The user sees the following prompts:
First Factor:
Second Factor (optional):
However, the second factor is required (as expected) and the login fails
without it.
User A -> Host B
The user gets the same prompt as above, but the second factor is actually
optional, and the login succeeds without supplying any value.
User B -> Host A
The user gets a regular password prompt, but cannot log in using the
correct password (as expected, since a OTP is required).
User B -> Host B
The user gets a regular password prompt and can log in as expected.
Everything is working more-or-less as expected, but the "Second Factor
(optional)" prompt is a little confusing, particularly in cases where it is
required. Is this due to my specific configuration (or mis-configuration)
or is this the expected behavior?