URL: https://github.com/SSSD/sssd/pull/760 Title: #760: Add use_2fa_combined option to allow pam services to be configured as password+otp entry
driskell commented: """ @sumit-bose I will close this for now. I did start playing with a pam_krb5 with "anon_fast" and "try_pkinit" which seems to allow me to do exactly what I want to do - require OTP on just one service for users where both OTP and password methods are allowed, but still continue using pam_sss for authorisation. So I just refer to the anon_fast supporting pam_krb5 in the authenticate part of PAM. try_pkinit I think makes sure it checks what preauth methods are available before prompting so it only prompts once. It seems to work now except for one thing - for users with both password auth and OTP auth enabled, even if the service would allow either they can only authenticate with OTP. If they type only password it tries both methods and OTP of course fails but then it attempts encrypted challenge and that says password incorrect. Not sure what's happening there - when I use non-OTP users (or turn off OTP for the user) it works fine. But either way I have things working how I would like. Not really production-ready though I guess so likely will not push it any further. Just thought interesting to note for others. I guess for me the longterm solution is to wait for pam_sss to allow specifying a custom keytab so we can set it up as a service with auth indicators, and for it to work like the anon_fast pam_krb5 so it can detect the methods available. """ See the full comment at https://github.com/SSSD/sssd/pull/760#issuecomment-474276528
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org