ipa-client-install right now enables following sshd_config values by default:
ipa-client-install
sshd_config
changes = { 'PubkeyAuthentication': 'yes', 'KerberosAuthentication': 'no', 'GSSAPIAuthentication': 'yes', 'UsePAM': 'yes', }
In order to enable SSSD smart prompting and allow it to ask for 1FA and 2FA separately, ChallengeResponseAuthentication should be set to yes. This change will enable better processing of the 2FA value and it will also enable other features, like allow SSSD to make the 2FA option in some cases and have a way of informing user that 2FA is optional.
ChallengeResponseAuthentication
yes
It should be a safe thing to do, it is the openssh default by the sshd_config option already anyway:
openssh
With openssh-server-7.1p2-3.fc23.x86_64, I see:
openssh-server-7.1p2-3.fc23.x86_64
$ man sshd_config ... ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via PAM or through authentication styles supported in login.conf(5)) The default is “yes”.
In current sshd_config in some of the distributions (like RHEL-6) it is mostly disabled as there was no PAM module leveraging it.
master:
Metadata Update from @mkosek: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.