Am Mon, Sep 18, 2023 at 03:55:32PM -0000 schrieb Sirio Sannipoli via FreeIPA-users: > Hello everyone, > I've already done searches without success, I need someone to point me > in the direction of resolving a strange behavior I'm experiencing on > servers with the RedHat/Centos operating system. > I have installed FreeIPA 4.10.1 on Oracle Linux 9 and all users by > default have Radius authentication via a Cisco server, users can > access via SSH to 100 Servers configured, we have OS of all types > (Debian, RedHat, Centos, Ubuntu). > The behavior I get is the following: > Debian based distro: SSH Login and SUDO work perfectly using the > Radius credentials > RedHat based distro: SSH Login prompt ask for 2FA, first factor & > second factor (optional) and i can login by entering the Radius > credentials and using the same password 2 times, SUDO ask for 2FA and > authentication fails when entering the same password 2 times. > I don't understand if the problem is on the FreeIPA client or server > or why there is a difference in behavior between Debian and RedHat > systems. > Can anyone give me directions to understand what's happening?
Hi, as long as the Radius server only expects a single string for authentication please just enter the password at the first prompt and just press enter at the second (optional) prompt. Then authentication should work in all cases. ssh has a special behavior when it come to multiple prompts where some of them are optional. As a result there is some special handling for ssh if the inputs in multiple prompts are the same. That's why entering the password twice with ssh works, but just entering it at the first prompt is the expected way how to use it and should work as well. HTH bye, Sumit > > Note: I have never set up 2FA authentication on the FreeIPA server, > the users are correctly configured and the "ipa user-show" command > confirms "User authentication types: radius", if i change user > configuration with the password, everything works fine. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
