"Master P." <junkmafi...@gmail.com> writes: > Is it possible to authenticate a user with only OTP and ssh-pubkeys?
Yes, but you need some tool managing OTP without password/PIN, which FreeIPA doesn't seem to support. I use privacyidea to manage my OTP tokens and have a working configuration. > So far I have successfully configured FreeIPA to use Two factor > authentication (password + OTP). I had to change the sshd_config to > achieve this by modifying the AuthenticationMethods to be: > > AuthenticationMethods publickey,password:pam > publickey,keyboard-interactive-pam I do use: Match Group otpusers AuthenticationMethods publickey,keyboard-interactive:pam gssapi-with-mic When authenticating with ssh key, also require PAM. Having a kerberos ticket grants access. My PAM configuration is: # If the user is in group otpusers, we use the next rule, otherwise we skip # the call to pam_yubico. auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup otpusers auth sufficient pam_yubico.so id=<clientid> key=<key> urllist=https://privacyidea.jochen.org/ttype/yubikey authfile=/etc/yubikeys/authorized_yubikeys I use Yubikeys in mode YUBICO, but my own privacyidea authentication server. It should be also possible to use privacyidea as a backend behind a RADIUS server for FreeIPA (I do use it for OpenVPN, but not FreeIPA). If find it more flexible to hand off OTP to a special tool like privacyidea oder linotp - a token on FreeIPA, Kolab, or another application is only a single purpose token. Jochen -- The only problem with troubleshooting is that the trouble shoots back. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project