I'd seen previous posts (now a few years old) on enabling per-host 2-factor authentication with FreeIPA. I'm using FreeIPA 4.6.4 on CentOS 7. I followed what I think are the correct steps to enable 2FA on a specific host, but the behavior is a little strange:
User A: enable both Password and Two factor authentication (password + OTP), and configure a OTP.
User B: enable just the Password option.
Host A: select "otp" under Authentication indicators, ensure the following lines are present in /etc/ssh/sshd_config and restart sshd: ChallengeResponseAuthentication yes AuthenticationMethods keyboard-interactive
Host B: make no changes to Authentication indicators (none selected), make the same changes as above to sshd_config.
After these changes:
User A -> Host A The user sees the following prompts:
First Factor: Second Factor (optional):
However, the second factor is required (as expected) and the login fails without it.
User A -> Host B The user gets the same prompt as above, but the second factor is actually optional, and the login succeeds without supplying any value.
User B -> Host A The user gets a regular password prompt, but cannot log in using the correct password (as expected, since a OTP is required).
User B -> Host B The user gets a regular password prompt and can log in as expected.
Everything is working more-or-less as expected, but the "Second Factor (optional)" prompt is a little confusing, particularly in cases where it is required. Is this due to my specific configuration (or mis-configuration) or is this the expected behavior?
On pe, 18 tammi 2019, Chris Herdt via FreeIPA-users wrote:
I'd seen previous posts (now a few years old) on enabling per-host 2-factor authentication with FreeIPA. I'm using FreeIPA 4.6.4 on CentOS 7. I followed what I think are the correct steps to enable 2FA on a specific host, but the behavior is a little strange:
User A: enable both Password and Two factor authentication (password + OTP), and configure a OTP.
User B: enable just the Password option.
Host A: select "otp" under Authentication indicators, ensure the following lines are present in /etc/ssh/sshd_config and restart sshd: ChallengeResponseAuthentication yes AuthenticationMethods keyboard-interactive
Host B: make no changes to Authentication indicators (none selected), make the same changes as above to sshd_config.
After these changes:
User A -> Host A The user sees the following prompts:
First Factor: Second Factor (optional):
However, the second factor is required (as expected) and the login fails without it.
User A -> Host B The user gets the same prompt as above, but the second factor is actually optional, and the login succeeds without supplying any value.
User B -> Host A The user gets a regular password prompt, but cannot log in using the correct password (as expected, since a OTP is required).
User B -> Host B The user gets a regular password prompt and can log in as expected.
Everything is working more-or-less as expected, but the "Second Factor (optional)" prompt is a little confusing, particularly in cases where it is required. Is this due to my specific configuration (or mis-configuration) or is this the expected behavior?
That's hard-coded in SSSD.
https://pagure.io/SSSD/sssd/issue/3264
On Fri, Jan 18, 2019 at 1:04 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On pe, 18 tammi 2019, Chris Herdt via FreeIPA-users wrote:
I'd seen previous posts (now a few years old) on enabling per-host
2-factor
authentication with FreeIPA. I'm using FreeIPA 4.6.4 on CentOS 7. I followed what I think are the correct steps to enable 2FA on a specific host, but the behavior is a little strange:
User A: enable both Password and Two factor authentication (password + OTP), and configure a OTP.
User B: enable just the Password option.
Host A: select "otp" under Authentication indicators, ensure the following lines are present in /etc/ssh/sshd_config and restart sshd: ChallengeResponseAuthentication yes AuthenticationMethods keyboard-interactive
Host B: make no changes to Authentication indicators (none selected),
make
the same changes as above to sshd_config.
After these changes:
User A -> Host A The user sees the following prompts:
First Factor: Second Factor (optional):
However, the second factor is required (as expected) and the login fails without it.
User A -> Host B The user gets the same prompt as above, but the second factor is actually optional, and the login succeeds without supplying any value.
User B -> Host A The user gets a regular password prompt, but cannot log in using the correct password (as expected, since a OTP is required).
User B -> Host B The user gets a regular password prompt and can log in as expected.
Everything is working more-or-less as expected, but the "Second Factor (optional)" prompt is a little confusing, particularly in cases where it
is
required. Is this due to my specific configuration (or mis-configuration) or is this the expected behavior?
That's hard-coded in SSSD.
Thanks! Good to know, I appreciate the info.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Chris Herdt