Hi everyone, I have a CentOS8 FreeIPA 4.8.0 test environment with a CentOS8 client. I'm enforcing smart card authentication on the client by setting the "authentication indicator" to "pkinit" with the command "ipa host-mod <client> --auth-ind=pkinit". This works fine to restrict SSH, GDM and Console logins to smart card only, however, if I SSH into the client and try to SUDO, it of course doesn't accept the password anymore, and since the card is not connected locally to the client, it doesn't prompt for the pin.
Is there a way to enforce smart card to login, but still allow sudo to accept passwords? Or to allow sudo to use the ssh-agent auth? (ssh-agent is working fine forwarding auth for SSH connections) I tried: yum install -y pam_ssh_agent_auth /etc/sudoers: Defaults env_keep += "SSH_AUTH_SOCK" /etc/pam.d/sudo: auth sufficient pam_ssh_agent_auth.so But "sudo -i" still prompts for the password. Any suggestions would be appreciated. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org