Hello PrivacyIDEA community,
I’m setting up a two-factor authentication system for SSH access to a lab environment. Here’s my current setup and the issue I’m facing:
Environment:
- 2 proxy servers for lab access
- FreeRADIUS server
- PrivacyIDEA server
- Active Directory for user management
Desired Authentication Flow:
- User initiates SSH connection to a proxy server
- User enters AD username and password
- AD credentials are verified
- If AD auth succeeds, user is prompted for OTP within the SSH session
- OTP is verified by PrivacyIDEA
- If OTP is correct, access is granted
Current Issue:
The system seems to be expecting both the AD password and OTP simultaneously. When a user enters only their AD password, the FreeRADIUS log shows:
“Wed Sep 18 20:45:36 2024 : rlm_perl: Content {“detail”: {“message”: “wrong otp pin”, …}}”
This suggests that the OTP check is happening at the same time as the AD password check, which is not the desired behavior.
- How can I configure PrivacyIDEA, FreeRADIUS, and PAM to separate the AD authentication from the OTP prompt?
- Is there a recommended setup or specific module in PrivacyIDEA for handling this two-step authentication process with SSH?
- Are there any specific settings in FreeRADIUS or PrivacyIDEA that I should check or modify to achieve this flow?
Any guidance or pointers to relevant documentation would be greatly appreciated. Thank you in advance for your help!