Hide Forgot
Description of problem: It OTP authentication is enabled in the IPA server for a user only OTP authentication is possible although the user has a long-term password which can be used for single-factor authentication as well. It would be good if SSSD can do 1FA as well if only one factor was given at the login prompt. Additionally the documentation might be enhanced to illustrate how the credentials can be promoted from 1FA to 2FA by calling 'su' or switching to the screen saver. This will be important as soon as applications become aware of Authentication Indicators see e.g. #1224057.
Upstream ticket: https://fedorahosted.org/sssd/ticket/2988
* master: 78027feeb56d6fe216f699be86a4716aaef3f628
Verified sssd-1.14.0-27.el7.x86_64 ipa-server-4.4.0-8.el7.x86_64 [root@host108 ~]# ipa user-show User login: otpuser User login: otpuser First name: otp Last name: user Home directory: /home/otpuser Login shell: /bin/sh Principal name: otpuser@TESTRELM.TEST Principal alias: otpuser@TESTRELM.TEST Email address: otpuser@testrelm.test UID: 1657800009 GID: 1657800009 User authentication types: otp, password Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@host108 ~]# ssh -l otpuser `hostname` First Factor: -------------------------------------> login with single-factor authentication (only password) Second Factor (optional): Last login: Tue Aug 23 17:00:19 2016 Could not chdir to home directory /home/otpuser: No such file or directory -sh-4.2$ -sh-4.2$ su otpuser First Factor: Second Factor (optional): --------------------------> switching from 1FA to 2FA (with key+token) sh-4.2$ sh-4.2$
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html