Thanks, but I think I have a problem. I have test user:
[root@ipa-centos]# ipa user-show test User login: test First name: test Last name: test Home directory: /home/test Login shell: /bin/sh Principal name: t...@mydomain.com Principal alias: t...@mydomain.com Email address: t...@mydomain.com UID: 152200001 GID: 152200001 Account disabled: False Password: True Member of groups: trust admins, ipausers, admins Kerberos keys available: True And test host: [root@ipa-centos]# ipa host-show ipa-client.mydomain.com Host name: ipa-client.mydomain.com Principal name: host/ipa-client.mydomain....@mydomain.com Principal alias: host/ipa-client.mydomain....@mydomain.com SSH public key fingerprint: %SOME FINGERPRINTS% Authentication Indicators: otp Password: False Keytab: True Managed by: ipa-client.mydomain.com When I trying to login to ipa-client.mydomain.com with password+otptoken I have error: [mynotebook]$ ssh t...@ipa-client.mydomain.com t...@ipa-client.mydomain.com's password: Permission denied, please try again. Same if I trying to use just password. On ipa server in krb5kdc.log I see: May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/ mydomain....@mydomain.com, Additional pre-authentication required May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/ mydomain....@mydomain.com, Additional pre-authentication required May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18 ses=18}, t...@mydomain.com for krbtgt/mydomain....@mydomain.com May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853, t...@mydomain.com for host/ipa-client.mydomain....@mydomain.com, Required auth indicators not present in ticket: otp May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853, t...@mydomain.com for host/ipa-client.mydomain....@mydomain.com, Required auth indicators not present in ticket: otp May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 What's wrong? 2017-05-16 17:16 GMT+03:00 Sumit Bose <sb...@redhat.com>: > On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote: > > Hello all. > > > > tell me please. Is it possible to use password and otp auth at the one > > moment? > > > > For example I have DEV/STAGE servers and want to be able use password > auth > > for ssh, but for PROD servers I want to use OTP auth for same user. > > Authentication indicators can be used for this. If you add > > ipa host-mod --auth-ind=otp prod.server > > Only 2-factor authentication should be possible on prod.server. But > please note that e.g. ssh-key based authentication will still be > possible as well. > > HTH > > bye, > Sumit > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- С уважением Дудин Андрей
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project