You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One of the goals of mod_auth_otp is to be able to support users that have OTP entries, but not to require it -- an opt-in approach. That's the idea behind the RequireTableEntryAuthOTPOption.
By default, mod_auth_otp will not require OTP logins for FTP/FTPS logins for users that don't have entries in the AuthOTPTable.
However, these same semantics -- not requiring OTP -- is not actually being done for SFTP logins that use e.g.:
SFTPAuthMethods password+keyboard-interactive
With the desired semantics, you should be able to configure an AuthOTPTable, and to configure mod_sftp for 2FA, as above; ff the user in question has an entry in the AuthOTPTable, that user will be prompted for the OTP code, and it must match. If they don't, the above should Just Work(tm) without the user requiring the OTP code. Currently, this is not the case.
That is, the requirement of OTP/2FA is controlled by per-user entries in the AuthOTPTable. That's the idea/intent, and it is not being honored for SFTP logins.
The text was updated successfully, but these errors were encountered:
One of the goals of
mod_auth_otp
is to be able to support users that have OTP entries, but not to require it -- an opt-in approach. That's the idea behind theRequireTableEntry
AuthOTPOption.By default,
mod_auth_otp
will not require OTP logins for FTP/FTPS logins for users that don't have entries in theAuthOTPTable
.However, these same semantics -- not requiring OTP -- is not actually being done for SFTP logins that use e.g.:
With the desired semantics, you should be able to configure an
AuthOTPTable
, and to configure mod_sftp for 2FA, as above; ff the user in question has an entry in theAuthOTPTable
, that user will be prompted for the OTP code, and it must match. If they don't, the above should Just Work(tm) without the user requiring the OTP code. Currently, this is not the case.That is, the requirement of OTP/2FA is controlled by per-user entries in the
AuthOTPTable
. That's the idea/intent, and it is not being honored for SFTP logins.The text was updated successfully, but these errors were encountered: