On Mon, Nov 19, 2018 at 02:20:47AM -0000, MOHIT KUMAR wrote: > Hi Sumit, > > I have added the PAM module separately and its working by asking MFA inputs. > However when i add it through sssd it is not able to ask any questions. It > there any limitation from sssd side ? I mean ideally whether the > configuration is done independent or whether through sssd the behaviour > should be same. We are using pam_info and pam_get_item to get the inputs from > user in the library.
It is a limitation of SSSD. With the SSSD proxy configuration you PAM module is not communication with the user directly but with a component of SSSD which currently can only handle a single password. In general it would be possible to enhance SSSD so that the component take all conversation items, sends them to pam_sss to present them to the user and return the input to you PAM module. But this won't be a trivial task. Additionally one of the reason for SSSD's proxy interface is to allow SSSD to cache a hashed version of the password for offline authentication. E.g. if you use a PAM modules to authenticate against a database say pam_mysql, SSSD can use the cached hash to validate a user password if the database is not reachable. In your case the MFA input contains a value which only works once, so it does not make sense to cache anything. So if it works it is ok to add it directly into the PAM configuration and not use SSSD's proxy feature. HTH bye, Sumit > _______________________________________________ > sssd-devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
