----- Original Message ----- > Hi , > > I'm exploring implementing a 2FA solution to my servers exposed to public. > Mainly to secure SSH with 2FA. The SSH keys and users are already in > FreeIPA. > > Is there a way to utilize the OTP inside FreeIPA during a user login to these > servers ? A user will have to enter the TOTP code bases on whats configured > in FreeIPA. Something along the lines of > https://github.com/google/google-authenticator/tree/master/libpam If you are using SSSD (pam_sss), it will automatically accept 2FA.
You need to force OpenSSH to combine authentication methods, something like: AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam Look into sshd_config manual page for details. This is feature of OpenSSH 6.2 or later. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
