And sorry Alexander, to your question it is a server so it all makes sense.
On Mon, 20 Mar 2023 at 17:18, David Harvey <davidcharvey(a)googlemail.com>
wrote:
Thank you both for the swift response. I totally missed the note on
it
being disabled for servers.
Is there any official advice instead on hardening access to IPA servers
due to their sensitivity?
I guess there's always restricting the HBAC to allow accounts which have
password + otp and not password only enabled...
On Mon, 20 Mar 2023 at 17:05, Rob Crittenden <rcritten(a)redhat.com> wrote:
> Alexander Bokovoy via FreeIPA-users wrote:
> > On ma, 20 maalis 2023, David Harvey via FreeIPA-users wrote:
> >> Hi there,
> >>
> >> When I try and re-enable TOTP for a host auth indicator I receive
> >> "invalid 'krbprincipalauthind': authentication indicators not
allowed
> in
> >> service "host""
> >> Running FreeIPA 4.9.10 on Rocky.
> >>
> >> I'm having some issues working out the current methods of OTP
> enforcement
> >> for SSH interactive as a login method. I've had a look through
> >>
>
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli...
> >>
> >> but am still stuck.
> >>
> >> I previously had a host configured (on its own details page) as
> requiring
> >> password and otp as auth indicators. This was a little buggy in that
> the
> >> GUI didn't display it after setting it, but did require an OTP on
> logging
> >> in with SSH and was reflected byt the krbPrincipalAuthInd attr being
> set.
> >> [image: image.png]
> >> I cleared this for the host for $reasons - resulting in the attrs being
> >> removed, and now if I try and re-enable I get:
> >>
> >> [image: image.png]
> >>
> >> Following that clue and those from other posts, I've been looking at
> the
> >> services auth indicators as where to set instead, but as ssh or login
> >> don't
> >> have services I can't work out how I am supposed to achieve this now?
> >
> > Is this system an IPA server or a client? For IPA servers we prevent
> > adding authentication indicators for the reasons described in the
> > workshop chapter you reference. The check is done by seeing if this
> > server's hostname is returned by 'ipa server-find' command.
>
> Per ticket
https://pagure.io/freeipa/issue/8206
>
> rob
>
> >
> > You can modify 'krbprincipalauthind' LDAP attribute directly with
> > ldapmodify to unstuck.
> >
> >
> >
>
>