[Freeipa-users] Re: Using OIDC device code auth for SSH access

Mon, 28 Apr 2025 03:54:54 -0700 

Am Mon, Apr 28, 2025 at 09:19:42AM -0000 schrieb Anders Wittendorff via 
FreeIPA-users:
> I'm currently stuck in an implementation of device code auth for SSH access 
> using External Identity on FreeIPA 4.12.
> My issue is that when connecting with SSH I get the correct message: 
> Authenticate at https://... with code and press Enter.
> But after authentication at external IDP and pressing Enter the login just 
> loops, and when looking at logs on the FreeIPA server I can see the 
> Access-Challenge but seems to shutdown the process:
> Apr 23 13:31:27 ipa-test.int.domain.net ipa-otpd[147396]: 
> [email protected]: response sent: Access-Challenge
> Apr 23 13:31:27 ipa-test.int.domain.net ipa-otpd[147396]:   oauth2.c:089: 
> Child finished with status [0].
> Apr 23 13:31:27 ipa-test.int.domain.net ipa-otpd[147396]: Socket closed, 
> shutting down...
> 
> Any inputs?

Hi,

most probably your identifier does not match. You can enable debug
output of oidc_child by setting

    oidc_child_debug_level 9

in /etc/ipa/default.conf, see man default.conf for details. This should
tell you which identifier was selected and then you can compare if it is
the same value as you have configured in the IPA user object.

HTH

bye,
Sumit

> -- 
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue

-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to