Cannot login as an IPA user after enabling 2FA(Password + OTP) in IPA

Solution Verified - Updated -

Issue

  • Unable to login as an IPA user after enabling 2FA(Password + OTP) in IPA.

  • If 2FA(Password + OTP) and Password authentication is enabled for an IPA user, login fails with:

[root@rhel7-ipa-1 ~]# ipa user-show  otpuser
  User login: otpuser
  First name: otp
  Last name: user
  Home directory: /home/otpuser
  Login shell: /bin/sh
  Principal name: otpuser@GSSLAB.PNQ2.REDHAT.COM
  Principal alias: otpuser@GSSLAB.PNQ2.REDHAT.COM
  Email address: otpuser@gsslab.pnq2.redhat.com
  UID: 849600010
  GID: 849600010
  User authentication types: password, otp   <----------
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-ipa-1 ~]# ssh otpuser@localhost
otpuser@localhost's password:  <------------- password + otp
Permission denied, please try again.

Environment

  • Red Hat Enterprise Linux(RHEL) 7.1 or Later
  • sssd-1.15.2-50

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In