On Thu, Apr 16, 2020 at 12:19:57AM -0400, Michael S. Moody via FreeIPA-users wrote:
Good evening,
First, thank you, again, for FreeIPA. I know I say it every time I send a message to the list, but it's magic.
We're running into an interesting situation where some of our hosts are requesting a first/second factor, even once authenticated.
Essentially, we SSH into a bastion host using MFA (PW+TOTP at the moment). Once we're in, we're able to pretty reliably SSH to other hosts without issue. However, we've got a few hosts that prompt for "First Factor/Second Factor". We're able to authenticate against those hosts if we provide credentials, but if we logout and log back in, we have to do it again.
Hi,
what is the expected behavior after you have logged into the bastion host? Is it that you can ssh to the other hosts without any prompts at all (authentication with ssh keys) or that you are only prompt for the password and not for both factors?
bye, Sumit
Interestingly, there's a host we can SSH to (bastion01 to dev-server02) which we can then SSH to another (dev-server02 to dev-server01) and not be prompted for credentials, but if we attempt to authenticate against it directly from the bastion host, we get prompted (bastion01 to dev-server01).
Similarly, we can hop onto other servers, no issues. I can SSH from a host to another and then try to SSH again back (a circle) and get prompted (bastion01 too dev-server02 to dev-server01 to bastion01) and it might work, or it might not, depending on the host in question. It's the most bizarre behavior I've ever seen with FreeIPA.
Any guidance that you can provide is appreciated.
Thanks in advance, Michael S. Moody
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...