On pe, 23 joulu 2022, Kjell Cornelius Nicolaysen via FreeIPA-users wrote:
Hey,
So I am trying to implement TOTP+password for SSH on a server. In the
past its been as simple as using google authenticatior but seeing as
how we have a shiny FreeIPA server...
Created a user, then gave them a TOTP token (synched and tested that
it works by logging into the web ui). But I'm stuck at the correct way
to implement this on the SSH server.
Found the earlier thread[1] and got some pointers.
sshd config:
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive
If I do not define password/otp for the host via the IPA web
interface, login works fine with password. If I set it to password/otp
only it fails.
Looking at journalctl -xeu ssh.service there clearly is some issue.
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 7 (Authentication failure)
error: PAM: Authentication failure for kjell from 192.168.31.102
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Postponed keyboard-interactive for kjell from 192.168.31.102 port
38832 ssh2 [preauth]
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Failed keyboard-interactive/pam for kjell from 192.168.31.102 port
38832 ssh2
Connection closed by authenticating user kjell 192.168.31.102 port
38832 [preauth]
Tried giving my password, and my password+otp (without the '+'). But
nothing works.
Anyone got any pointers or see any obvious mistakes ?
You get system error from pam_sss. You need to enable debug logging in
SSSD and collect logs. Please see
https://sssd.io/troubleshooting/basics.html for more details.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland