Am Mon, Oct 21, 2024 at 04:06:12AM -0000 schrieb seojeong kim via sssd-users: > here is my sssd.conf > > [domain/mydomain.com] > filter_users=root,ubuntu,ec2-user,centos > filter_groups=root,ubuntu,ec2-user,centos > offline_timeout = 60 > ignore_group_members = true > cache_credentials = true > krb5_store_password_if_offline = True > ipa_hbac_refresh = 60 > auth_provider = ipa > access_provider = ipa > chpass_provider = ipa > sudo_provider = ipa > dns_discovery_domain = mydomain.com > ldap_tls_cacert = /etc/ipa/ca.crt > ldap_sudo_use_host_filter = false > ldap_sudo_refresh_enabled = true > > ldap_sudo_full_refresh_interval=86400 > ldap_sudo_smart_refresh_interval=200 > ldap_sudo_search_base = > ou=sudoers,dc=mydomain,dc=com?subtree?(|(sudoHost=ip-10-10-247-202-3456.ipa-dev)(sudoHost=+.svc_ipa-dev*)(sudoHost=ALL)) > ldap_connection_expire_timeout = 87473 > entry_cache_timeout = 172800 > krb5_auth_timeout = 30 > debug_level = 9 > [sssd] > reconnection_retries = 3 > config_file_version = 2 > services = nss, sudo, pam, ssh > domains = mydomain.com > debug_level = 9 > [nss] > homedir_substring = /home > debug_level = 9 > [pam] > debug_level = 9 > [sudo] > debug_level = 9 > [autofs] > [ssh] > debug_level = 9 > [pac] > [ifp] > [secrets] > [session_recording] > [prompting/password] > password_prompt = Password : > [prompting/2fa] > single_prompt = False > first_prompt = First Factor: > second_prompt = Second Factor: > > When SSSD is online, > ssh prompt for 2fa user asks like below. > First Factor: > Second Factor: > > but if SSSD goes to offline, ssh prompt asks only password like > password : > > > How can I configure to get multi prompt asking for 2fa user even in SSSD > offline mode? Of course, otp validation will be ignored even though user > inputs otp. > I just want to keep multi prompt even in both SSSD online and SSSD offline. > Is it possible to be configured ?
Hi, this is currently not possible. The prompting is selected based on the available authentication methods. While offline only authentication with the long term password is available and hence SSSD is only using the password prompt. HTH bye, Sumit > -- > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
