On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote: > On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote: > > Hello everybody, > > > > > > I am looking for a way to have different authentication policy for a > > freeia-client logout and screenlock on linux workstations. > > > > When a user logs in I want to use my password+otp (this is working)! > > > > When a user locks it screen I want to be able unlock it with only the > > password. > > > > When a user logs out and back in then it needs to use the password+otp > > again. > > > > I am aware of the security implications for this. > > > > How can I configure this policy? > I don't think there is a way to deploy such policy through SSSD at all. > > Jakub, do you have an idea how to make that possible?
Currently I can't think of anything clean either. Is the lock screen and the login manager the same PAM service? If they are different, maybe some hack like letting pam_unix to always read the password and then just pass it on to pam_sss would work.. But I know Sumit is working on improving the 2FA prompting lately, so maybe this will be improved in the upcoming release. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org