Issue #8727: When enable OTP and Password indicator for a user, user can not login - freeipa

freeipa

#8727 When enable OTP and Password indicator for a user, user can not login

Closed: wontfix 2 years ago by pcech. Opened 3 years ago by rezz21.

Issue

We just need to enable OTP for some of the hosts not all. It should really works when allow users to have password as well as OTP , then enforce OTP for jump host.
But we can not login to hosts unless we force user to OTP only.
in another word, if I tick the password as well as OPT for a user, user won't be able to login at all.

Steps to Reproduce

Create a user_otp with OTP + RADIUs ticked in "User authentication types"
Create another user_potp with OTP + RADIOS + PASSWORD ticked in "User authentication types"
set "Authentication indicators" to OTP for a host_with_otp
do not set "Authentication indicators" to OTP for a host_with_password
Add OTP Token for both users

Actual behavior

User_otp can login to host_with_password with Password+OTP
user_otp can login to host__with_otp with Password+OTP to

User_potp can login to host_with_password with password only
User_potp can not login to host__with_otp with password or with password+OTP

Expected behavior

User_otp can login to host_with_password with Password+OTP
user_otp can login to host__with_otp with Password+OTP to

User_potp can login to host_with_password with password only
User_potp should be able to login to host__with_otp with password+OTP

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.8.7-13.module_el8.3.0+606+1e8766d7.x86_64
ipa-client-4.8.7-13.module_el8.3.0+606+1e8766d7.x86_64
389-ds-base-1.4.3.8-5.module_el8.3.0+473+53682548.x86_64
pki-ca-10.9.4-1.module_el8.3.0+500+458aeb54.noarch
krb5-server-1.18.2-5.el8.x86_64

rezz21 commented 3 years ago

Any one can comment on this please

rcritten commented 3 years ago

Sorry for the delay.

I don't know a ton about either OTP or Radius but here we go...

What is the purpose of setting all three authentication types?

It appears it's just the radius auth that isn't working. Does it work if you only set that option?

rezz21 commented 2 years ago

Sorry I think, i made a mistake saying 'Create a user_otp with OTP + RADIUs ticked in "User authentication types'

i only created the user with OTP + Password ticked.

The issue is, I need to know how to set this up so only the jump host force OTP for login not any other server.

abbra commented 2 years ago

What you want is not possible to achieve. Authentication is not tied to the target host and cannot be tied there.

pcech commented 2 years ago

Based on previous comment, I am about to close this ticket. Thanks for you time to opening this issue.
FreeIPA Product Owner

Metadata Update from @pcech:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8727 When enable OTP and Password indicator for a user, user can not login Closed: wontfix 2 years ago by pcech. Opened 3 years ago by rezz21.

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

Metadata

#8727 When enable OTP and Password indicator for a user, user can not login

Closed: wontfix 2 years ago by pcech. Opened 3 years ago by rezz21.