2FA authentication will be bypassed when using SSH public/private key login on IPA client.

Solution In Progress - Updated -

Issue

  • On IPA client system, 2FA authentication will be bypassed when using SSH public/private key login.

  • Using IdM (IPA) on RHEL 7.4 works well. Login via SSH perfectly asks for a two factor password:

user@laptop ~]$ klist
Ticket cache: KCM:1000:xxxxx
Default principal: user@EXAMPLE.COM

Valid starting     Expires            Service principal
09-04-18 13:51:57  10-04-18 13:51:51  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    renew until 16-04-18 13:51:51
user@laptop ~]$ ssh server.example.com -oPubkeyAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=yes -l otp
First Factor: 
Second Factor (optional): 
Last login: Mon Apr  9 13:54:04 2018 from laptop.example.com
  • However, using public/private key login will NOT ask for the Second Factor which will create an easy way to (partially) bypass OTP.

Environment

  • Red Hat Enterprise Linux 7.4 and above.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In