Aah ok ! Unfortunately I'm using Amazon Linux and it does not support SSSD. I ended up using nss-pam-ldap, nscd and nslcd.
However this looks promising. Only for the servers exposed to Internet I could use CentOS/Fedora and this method of authentication. Let me try this and come back to you. Thanks. --Prashant On 27 June 2015 at 10:17, Alexander Bokovoy <aboko...@redhat.com> wrote: > > > ----- Original Message ----- > > Hi , > > > > I'm exploring implementing a 2FA solution to my servers exposed to > public. > > Mainly to secure SSH with 2FA. The SSH keys and users are already in > > FreeIPA. > > > > Is there a way to utilize the OTP inside FreeIPA during a user login to > these > > servers ? A user will have to enter the TOTP code bases on whats > configured > > in FreeIPA. Something along the lines of > > https://github.com/google/google-authenticator/tree/master/libpam > If you are using SSSD (pam_sss), it will automatically accept 2FA. > > You need to force OpenSSH to combine authentication methods, something > like: > > AuthenticationMethods publickey,password:pam > publickey,keyboard-interactive:pam > > Look into sshd_config manual page for details. This is feature of OpenSSH > 6.2 or later. > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project