Login bypasses FreeIPA OTP #676
Comments
|
Currently, xrdp doesn't support multi-factor authentication. We know some people want to do MFA. We need to manage it someday. |
|
I believe we got this working where xrdp would accept the password as password + otp. We reconfigured /etc/pam.d/xrdp-sesman and now it works with password + otp. |
|
@Kaydub00 , can you paste your xrdp-sesman pam configuration? |
|
@Kaydub00, can you give some insight on how you accomplished this? |
|
@Kaydub00 can you share some details about your pam config ? |
|
@MarcoJankowski @corrjo @jenningsloy318 I'm reaching out to the company I worked for where I had to set this up. Going to see if I can get the details. If any of you three figured it out, please post it here! |
|
@MarcoJankowski @corrjo @jenningsloy318 @Kaydub00 I have now FINALLY found a solution to this. Append this to your See this sssd discussion ( initially only sshd was hardcoded in sssd to allow combing password+otp ) |
|
Thanks, I will check in our env |
I have authentication setup to use FreeIPA. When a user has no OTP token they can login to xrdp fine with their FreeIPA credentials. Once an OTP token is added and OTP is turned on in FreeIPA XRDP login no longer works for that user.
I believe this is because there's a pre-authentication and then on other applications, like SSH, a second prompt is given asking for the second factor (otp token). XRDP just gets a failed login.
The text was updated successfully, but these errors were encountered: