[Freeipa-users] Host based two factor requirements

Hi there, When I try and re-enable TOTP for a host auth indicator I receive "invalid 'krbprincipalauthind': authentication indicators not allowed in service "host"" Running FreeIPA 4.9.10 on Rocky. I'm having some issues working out the current methods of OTP enforcement for SSH interactive as a login method. I've had a look through https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli... but am still stuck. I previously had a host configured (on its own details page) as requiring password and otp as auth indicators. This was a little buggy in that the GUI didn't display it after setting it, but did require an OTP on logging in with SSH and was reflected byt the krbPrincipalAuthInd attr being set. [image: image.png] I cleared this for the host for $reasons - resulting in the attrs being removed, and now if I try and re-enable I get: [image: image.png] Following that clue and those from other posts, I've been looking at the services auth indicators as where to set instead, but as ssh or login don't have services I can't work out how I am supposed to achieve this now? Thanks in advance, David