Hi guys,
im facing a strange behaviour about freeipa OTP,
we installed freeipa 4.11 on RockyLinux 9.4 and configure all user to authenticate using OTP which is working fine except for this behaviour: when a user connect using ssh using hostname to the first client (ssh user@hostname1), freeipa correclty asks for 2FA, then once logged in, if i ssh to a second server using hostname (ssh user@hostname2) it doesnt ask me any 2FA, instead if i use the ip (ssh user@ip_of_hostname2) it asks me it.
it's a strange behaviour, shouldnt it ask always 2FA?
can u guys enlight me and help to make freeipa ask always 2fa for each ssh?
thanks
Damiano
Am Wed, Oct 23, 2024 at 12:58:08PM -0000 schrieb Damiano Giuliani via FreeIPA-users:
Hi guys,
im facing a strange behaviour about freeipa OTP,
we installed freeipa 4.11 on RockyLinux 9.4 and configure all user to authenticate using OTP which is working fine except for this behaviour: when a user connect using ssh using hostname to the first client (ssh user@hostname1), freeipa correclty asks for 2FA, then once logged in, if i ssh to a second server using hostname (ssh user@hostname2) it doesnt ask me any 2FA, instead if i use the ip (ssh user@ip_of_hostname2) it asks me it.
it's a strange behaviour, shouldnt it ask always 2FA?
can u guys enlight me and help to make freeipa ask always 2fa for each ssh?
Hi,
you most probably have GSSAPIAuthentication enable in sshd. The first login will give you a Kerberos ticket which is used for GSSAPIAuthentication to the second host as long as you use the fully-qualified name of the host. If you use the IP address to connect to the second host GSSAPIAuthentication will most probably fail because Kerberos/GSSAPI needs the fully-qualified name to find the required keys and as a result ssh will fall back to other authentication methods and will prompt you for the two factors.
HTH
bye, Sumit
thanks
Damiano
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Sumit,
thanks for the explanation! so if i turn off GSSAPIAuthentication it should prompt me always the 2FA?
how i can achive to ask for 2FA always for each ssh connection?
really thanks for helping me!
Am Wed, Oct 23, 2024 at 05:34:54PM -0000 schrieb Damiano Giuliani via FreeIPA-users:
Hi Sumit,
thanks for the explanation! so if i turn off GSSAPIAuthentication it should prompt me always the 2FA?
Hi,
at least ssh will not try to use GSSAPIAuthentication in that case. There might be other methods like PubkeyAuthentication which would have the same effect and will not prompt the user.
bye, Sumit
how i can achive to ask for 2FA always for each ssh connection?
really thanks for helping me!
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Sumit, Thanks for your clear explanation. It really helps me to figure out more about it.
Have a good day! Damiano
On Thu, Oct 24, 2024, 8:52 AM Sumit Bose sbose@redhat.com wrote:
Am Wed, Oct 23, 2024 at 05:34:54PM -0000 schrieb Damiano Giuliani via FreeIPA-users:
Hi Sumit,
thanks for the explanation! so if i turn off GSSAPIAuthentication it should prompt me always the 2FA?
Hi,
at least ssh will not try to use GSSAPIAuthentication in that case. There might be other methods like PubkeyAuthentication which would have the same effect and will not prompt the user.
bye, Sumit
how i can achive to ask for 2FA always for each ssh connection?
really thanks for helping me!
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
freeipa-users@lists.fedorahosted.org
-
Damiano Giuliani -
Sumit Bose