On Tue, Nov 21, 2017 at 01:47:04PM +1300, Aaron Hicks via FreeIPA-users wrote: > I found it, it was in /etc/ssh/sshd_config > > This requires in the sshd config: > > ChallengeResponseAuthentication yes > AuthenticationMethods keyboard-interactive > > We now can enable 2FA on a per-host basis.
glad it is working for you now. Yes, ChallengeResponseAuthentication must be set to 'yes' because with PasswordAuthtication the ssh client will unconditionally only ask for a password. bye, Sumit > > -----Original Message----- > From: Aaron Hicks [mailto:[email protected]] > Sent: Tuesday, 21 November 2017 1:32 PM > To: 'FreeIPA users list' <[email protected]> > Subject: RE: [Freeipa-users] Re: Enabling two-factor by host > > I think pam/sssd is not authenticating correctly > > This is what the login sequence looks like when the otp auth indicator is set > on the host, and default user auth is password and otp: > > ssh user@test2fa01 > user@test2fa01's password: > user@test2fa01's password: > user@test2fa01's password: > First Factor: > Second Factor (optional): > First Factor: > Second Factor (optional): > Connection to test2fa01 closed by remote host. > Connection to test2fa01 closed. > > Shouldn't it just be using the First Factor: Second Factor: style prompt? > > -----Original Message----- > From: Aaron Hicks [mailto:[email protected]] > Sent: Tuesday, 21 November 2017 1:32 PM > To: 'FreeIPA users list' <[email protected]> > Subject: RE: [Freeipa-users] Re: Enabling two-factor by host > > When assuming the user as a regular user we get a "Correct" response, so pam > and sssd are not co-operating: > > [user2@test2fa01 ~]$ su - user > First Factor: > Second Factor (optional): > Last login: Mon Nov 20 04:23:17 UTC 2017 from laptop.local on pts/0 Last > failed login: Mon Nov 20 23:27:17 UTC 2017 from laptop.local on ssh:notty > There were 47 failed login attempts since the last successful login. > [user@test2fa01 ~]$ > > > -----Original Message----- > From: Aaron Hicks [mailto:[email protected]] > Sent: Tuesday, 21 November 2017 12:02 PM > To: 'FreeIPA users list' <[email protected]> > Subject: RE: [Freeipa-users] Re: Enabling two-factor by host > > Hello the list, > > I think pam/sssd is not authenticating correctly > > This is what the login sequence looks like when the otp auth indicator is set > on the host, and default user auth is password and otp: > > ssh user@test2fa01 > user@test2fa01's password: > user@test2fa01's password: > user@test2fa01's password: > First Factor: > Second Factor (optional): > First Factor: > Second Factor (optional): > Connection to test2fa01 closed by remote host. > Connection to test2fa01 closed. > > Shouldn't it just be using the First Factor: Second Factor: style prompt? > > -----Original Message----- > From: Aaron Hicks [mailto:[email protected]] > Sent: Monday, 20 November 2017 5:33 PM > To: 'FreeIPA users list' <[email protected]> > Subject: RE: [Freeipa-users] Re: Enabling two-factor by host > > Hello the List, > > This doesn't quite work. We have two hosts, we want a user to just use a > password on one host, and password + OTP on a second host. > > I have set the FreeIPA server to use both password and otp+password: > > ipa config-mod --user-auth-type={password,otp} > > One host (test2fa02) left with no required auth indicator > > One host (test2fa01) with otp as a required auth indicator. > > ipa host-mod --auth-ind=otp test2fa01 > > I have a user with a token, and no auth-types chosen (i.e. using defaults) > and an OTP token set. > > The user is able to log in to test2fa02 which does not require OTP, but I am > unable to log into test2fa01 > > I set the user to use OTP only two factor authentication works, but is > required by both hosts > > I set the default to use OTP only, two factor authentication works, but is > required on both hosts > > If I unset the auth options on user and server the password works on > test2fa02, but auth fails on test2fa01 > > If I unset auth for user, and set server auth to password and OTP the > password works on test2fa02, but auth fails on test2fa01 > > If I unset auth for server, and set auth for user to password and OTP the > password works on test2fa02, but auth fails on test2fa01 > > We only want 2FA required on specific hosts, the other hosts should > authenticate with just password. > > > Any suggestions? > > Aaron > -----Original Message----- > From: Aaron Hicks [mailto:[email protected]] > Sent: Monday, 20 November 2017 12:59 PM > To: 'FreeIPA users list' <[email protected]> > Subject: RE: [Freeipa-users] Re: Enabling two-factor by host > > Thanks Sumit, > > This looks like what we're after, I'll follow up after some testing. > > Aaron > > -----Original Message----- > From: Sumit Bose via FreeIPA-users > [mailto:[email protected]] > Sent: Friday, 17 November 2017 9:06 PM > To: [email protected] > Cc: Sumit Bose <[email protected]> > Subject: [Freeipa-users] Re: Enabling two-factor by host > > On Fri, Nov 17, 2017 at 04:09:01AM +0000, Aaron Hicks via FreeIPA-users wrote: > > Hello the list, > > > > Is it possible to enable two-factor authentication using Google > > Authenticator on FreeIPA on specific hosts or groups of hosts? > > > > Alternatively, are there any recommendations on modifying the Pam > > configuration on these 2FA required machines to grab the OTP token from > > FreeIPA when a user logs in? > > Please check if authentication indicators is waht you are looking for, see > e.g. > https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indicators/ > for details, look especially for 'Enforcing 2FA on a host principal'. > > HTH > > bye, > Sumit > > > > > Regards, > > > > Aaron > > > > Get Outlook for iOS<https://aka.ms/o0ukef> > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > > [email protected] > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
