Hi there,
When I try and re-enable TOTP for a host auth indicator I receive
"invalid 'krbprincipalauthind': authentication indicators not allowed in
service "host""
Running FreeIPA 4.9.10 on Rocky.
I'm having some issues working out the current methods of OTP enforcement
for SSH interactive as a login method. I've had a look through
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli...
but am still stuck.
I previously had a host configured (on its own details page) as requiring
password and otp as auth indicators. This was a little buggy in that the
GUI didn't display it after setting it, but did require an OTP on logging
in with SSH and was reflected byt the krbPrincipalAuthInd attr being set.
[image: image.png]
I cleared this for the host for $reasons - resulting in the attrs being
removed, and now if I try and re-enable I get:
[image: image.png]
Following that clue and those from other posts, I've been looking at the
services auth indicators as where to set instead, but as ssh or login don't
have services I can't work out how I am supposed to achieve this now?
Thanks in advance,
David