We just need to enable OTP for some of the hosts not all. It should really works when allow users to have password as well as OTP , then enforce OTP for jump host. But we can not login to hosts unless we force user to OTP only. in another word, if I tick the password as well as OPT for a user, user won't be able to login at all.
User_otp can login to host_with_password with Password+OTP user_otp can login to host__with_otp with Password+OTP to
User_potp can login to host_with_password with password only User_potp can not login to host__with_otp with password or with password+OTP
User_potp can login to host_with_password with password only User_potp should be able to login to host__with_otp with password+OTP
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.8.7-13.module_el8.3.0+606+1e8766d7.x86_64 ipa-client-4.8.7-13.module_el8.3.0+606+1e8766d7.x86_64 389-ds-base-1.4.3.8-5.module_el8.3.0+473+53682548.x86_64 pki-ca-10.9.4-1.module_el8.3.0+500+458aeb54.noarch krb5-server-1.18.2-5.el8.x86_64
Any one can comment on this please
Sorry for the delay.
I don't know a ton about either OTP or Radius but here we go...
What is the purpose of setting all three authentication types?
It appears it's just the radius auth that isn't working. Does it work if you only set that option?
Sorry I think, i made a mistake saying 'Create a user_otp with OTP + RADIUs ticked in "User authentication types'
i only created the user with OTP + Password ticked.
The issue is, I need to know how to set this up so only the jump host force OTP for login not any other server.
What you want is not possible to achieve. Authentication is not tied to the target host and cannot be tied there.
Based on previous comment, I am about to close this ticket. Thanks for you time to opening this issue. FreeIPA Product Owner
Metadata Update from @pcech: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.