Am Fri, Nov 22, 2024 at 02:10:13AM -0000 schrieb seojeong kim via sssd-users: > I made a test again after deleting SSSD cache. > > #1 > first login : I put pwd and otp seperately. > First Factor : pwd > Second Factor : otp > > at the second login : I put it as single string. > First Factor : pwd + otp > Second Factor : pwd + otp > > SSSD offiline > password : > with pwd only or pwd + any otp , I can successfully log in. > > #2 > Clear SSSD cache > First Factor : pwd + otp > Second Factor : pwd + otp > > SSSD offline > password : > I can't login with valid pwd. > > > From this, I guess that SSSD cache is not refreshed after every successful > login, is that right ? > What is the difference between the test case #1 and #2 when SSSD save > credential cache ?
Hi, with 2FA SSSD only saves the hash of the long term password in the cache if first and second factor were given individually on the separate prompts. Additionally the length of the second factor is saved. This means the second attempt of #1 will not overwrite the cached data since the two factors where given in a single string and in #2 nothing will be saved at all for the same reason. The offline login of #1 works either way because if the direct verification fails and SSSD detects that the password was save during a 2FA it takes the save length of the second factor, removes that many characters from the end of the input and checks again. For #2 nothing is saved and offline authentication will fail. So as said before, for offline authentication to work it is crucial that both factors were entered separately once. HTH bye, Sumit > -- > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
