Am Mon, Sep 18, 2023 at 03:55:32PM -0000 schrieb Sirio Sannipoli via FreeIPA-users:
Hello everyone,
I've already done searches without success, I need someone to point me
in the direction of resolving a strange behavior I'm experiencing on
servers with the RedHat/Centos operating system.
I have installed FreeIPA 4.10.1 on Oracle Linux 9 and all users by
default have Radius authentication via a Cisco server, users can
access via SSH to 100 Servers configured, we have OS of all types
(Debian, RedHat, Centos, Ubuntu).
The behavior I get is the following:
Debian based distro: SSH Login and SUDO work perfectly using the
Radius credentials
RedHat based distro: SSH Login prompt ask for 2FA, first factor &
second factor (optional) and i can login by entering the Radius
credentials and using the same password 2 times, SUDO ask for 2FA and
authentication fails when entering the same password 2 times.
I don't understand if the problem is on the FreeIPA client or server
or why there is a difference in behavior between Debian and RedHat
systems.
Can anyone give me directions to understand what's happening?
Hi,
as long as the Radius server only expects a single string for
authentication please just enter the password at the first prompt and
just press enter at the second (optional) prompt. Then authentication
should work in all cases.
ssh has a special behavior when it come to multiple prompts where some
of them are optional. As a result there is some special handling for ssh
if the inputs in multiple prompts are the same. That's why entering the
password twice with ssh works, but just entering it at the first prompt
is the expected way how to use it and should work as well.
HTH
bye,
Sumit
Note: I have never set up 2FA authentication on the FreeIPA server,
the users are correctly configured and the "ipa user-show" command
confirms "User authentication types: radius", if i change user
configuration with the password, everything works fine.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue