On ma, 20 maalis 2023, David Harvey via FreeIPA-users wrote:
Hi there,
When I try and re-enable TOTP for a host auth indicator I receive
"invalid 'krbprincipalauthind': authentication indicators not allowed in
service "host""
Running FreeIPA 4.9.10 on Rocky.
I'm having some issues working out the current methods of OTP enforcement
for SSH interactive as a login method. I've had a look through
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html
but am still stuck.
I previously had a host configured (on its own details page) as requiring
password and otp as auth indicators. This was a little buggy in that the
GUI didn't display it after setting it, but did require an OTP on logging
in with SSH and was reflected byt the krbPrincipalAuthInd attr being set.
[image: image.png]
I cleared this for the host for $reasons - resulting in the attrs being
removed, and now if I try and re-enable I get:
[image: image.png]
Following that clue and those from other posts, I've been looking at the
services auth indicators as where to set instead, but as ssh or login don't
have services I can't work out how I am supposed to achieve this now?
Is this system an IPA server or a client? For IPA servers we prevent
adding authentication indicators for the reasons described in the
workshop chapter you reference. The check is done by seeing if this
server's hostname is returned by 'ipa server-find' command.
You can modify 'krbprincipalauthind' LDAP attribute directly with
ldapmodify to unstuck.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
