[Freeipa-users] Re: Host based two factor requirements

Thank you both for the swift response. I totally missed the note on it being disabled for servers. Is there any official advice instead on hardening access to IPA servers due to their sensitivity? I guess there's always restricting the HBAC to allow accounts which have password + otp and not password only enabled... On Mon, 20 Mar 2023 at 17:05, Rob Crittenden <rcritten(a)redhat.com&gt; wrote: > Alexander Bokovoy via FreeIPA-users wrote: > > On ma, 20 maalis 2023, David Harvey via FreeIPA-users wrote: > >> Hi there, > >> > >> When I try and re-enable TOTP for a host auth indicator I receive > >> "invalid 'krbprincipalauthind': authentication indicators not allowed > in > >> service "host"" > >> Running FreeIPA 4.9.10 on Rocky. > >> > >> I'm having some issues working out the current methods of OTP > enforcement > >> for SSH interactive as a login method. I've had a look through > >> > https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli... > >> > >> but am still stuck. > >> > >> I previously had a host configured (on its own details page) as > requiring > >> password and otp as auth indicators. This was a little buggy in that > the > >> GUI didn't display it after setting it, but did require an OTP on > logging > >> in with SSH and was reflected byt the krbPrincipalAuthInd attr being > set. > >> [image: image.png] > >> I cleared this for the host for $reasons - resulting in the attrs being > >> removed, and now if I try and re-enable I get: > >> > >> [image: image.png] > >> > >> Following that clue and those from other posts, I've been looking at > the > >> services auth indicators as where to set instead, but as ssh or login > >> don't > >> have services I can't work out how I am supposed to achieve this now? > > > > Is this system an IPA server or a client? For IPA servers we prevent > > adding authentication indicators for the reasons described in the > > workshop chapter you reference. The check is done by seeing if this > > server's hostname is returned by 'ipa server-find' command. > > Per ticket https://pagure.io/freeipa/issue/8206 > > rob > > > > > You can modify 'krbprincipalauthind' LDAP attribute directly with > > ldapmodify to unstuck. > > > > > > > >