Thanks, but I think I have a problem.
I have test user:
[root@ipa-centos]# ipa user-show test
User login: test
First name: test
Last name: test
Home directory: /home/test
Login shell: /bin/sh
Principal name: t...@mydomain.com
Principal alias: t...@mydomain.com
Email address: t...@mydomain.com
UID: 152200001
GID: 152200001
Account disabled: False
Password: True
Member of groups: trust admins, ipausers, admins
Kerberos keys available: True
And test host:
[root@ipa-centos]# ipa host-show ipa-client.mydomain.com
Host name: ipa-client.mydomain.com
Principal name: host/ipa-client.mydomain....@mydomain.com
Principal alias: host/ipa-client.mydomain....@mydomain.com
SSH public key fingerprint: %SOME FINGERPRINTS%
Authentication Indicators: otp
Password: False
Keytab: True
Managed by: ipa-client.mydomain.com
When I trying to login to ipa-client.mydomain.com with password+otptoken I
have error:
[mynotebook]$ ssh t...@ipa-client.mydomain.com
t...@ipa-client.mydomain.com's password:
Permission denied, please try again.
Same if I trying to use just password.
On ipa server in krb5kdc.log I see:
May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
mydomain....@mydomain.com, Additional pre-authentication required
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
mydomain....@mydomain.com, Additional pre-authentication required
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
ses=18}, t...@mydomain.com for krbtgt/mydomain....@mydomain.com
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
t...@mydomain.com for host/ipa-client.mydomain....@mydomain.com, Required
auth indicators not present in ticket: otp
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
t...@mydomain.com for host/ipa-client.mydomain....@mydomain.com, Required
auth indicators not present in ticket: otp
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
What's wrong?
2017-05-16 17:16 GMT+03:00 Sumit Bose <sb...@redhat.com>:
> On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> > Hello all.
> >
> > tell me please. Is it possible to use password and otp auth at the one
> > moment?
> >
> > For example I have DEV/STAGE servers and want to be able use password
> auth
> > for ssh, but for PROD servers I want to use OTP auth for same user.
>
> Authentication indicators can be used for this. If you add
>
> ipa host-mod --auth-ind=otp prod.server
>
> Only 2-factor authentication should be possible on prod.server. But
> please note that e.g. ssh-key based authentication will still be
> possible as well.
>
> HTH
>
> bye,
> Sumit
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
С уважением Дудин Андрей
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
