mod_auth_otp should honor RequireTableEntry semantics for SFTP logins #1319
Comments
Castaglia
added a commit
that referenced
this issue
Aug 29, 2021
…e user lacks an entry in `AuthOTPTable`.
Castaglia
added a commit
that referenced
this issue
Aug 29, 2021
…ntry-issue1319 Issue #1319: Handle the case where mod_sftp 2FA is configured, but th…
Castaglia
added a commit
that referenced
this issue
Aug 29, 2021
…les` installation in the release notes.
|
Fixed in master. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
One of the goals of
mod_auth_otpis to be able to support users that have OTP entries, but not to require it -- an opt-in approach. That's the idea behind theRequireTableEntryAuthOTPOption.By default,
mod_auth_otpwill not require OTP logins for FTP/FTPS logins for users that don't have entries in theAuthOTPTable.However, these same semantics -- not requiring OTP -- is not actually being done for SFTP logins that use e.g.:
With the desired semantics, you should be able to configure an
AuthOTPTable, and to configure mod_sftp for 2FA, as above; ff the user in question has an entry in theAuthOTPTable, that user will be prompted for the OTP code, and it must match. If they don't, the above should Just Work(tm) without the user requiring the OTP code. Currently, this is not the case.That is, the requirement of OTP/2FA is controlled by per-user entries in the
AuthOTPTable. That's the idea/intent, and it is not being honored for SFTP logins.The text was updated successfully, but these errors were encountered: