Bug 1485438
| Summary: | Second Factor optional even though host auth-ind=otp | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Wen Liang <wliang> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED DUPLICATE | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | pvoborni, rcritten, sbose, tscherf |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-30 16:12:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I would say no because there are two independent steps here authentication and authorization. Getting and validating the user's credentials is authentication. Checking whether the user is allowed to log in is authorization. If e.g. a HBAC rule denies access to a specific user on a host the user is prompted for the password as well although he can never log in due to the HBAC rule. If you'd like to change the prompting in general this is tracked by https://bugzilla.redhat.com/show_bug.cgi?id=1402056. Hence I'd like to close this ticket either as NOTABUG or as duplicate to #1402056. What would you prefer? Thank you for the clarification. Yes, bug 1402056 could have helped here so not to confuse the users. ok, thank you for the feedback, then I close this a duplicate. *** This bug has been marked as a duplicate of bug 1402056 *** |
Setup: > ipa user-mod user1 --user-auth-type=otp --user-auth-type=password > ipa host-mod host1 --auth-ind=otp > ssh user1@host1 First Factor: Second Factor (optional): Issue: Shouldn't "Second Factor" be required?