[SSSD-users]Re: multi prompt changed to single prompt

[Sumit Bose via sssd-users]

Am Tue, Jul 15, 2025 at 02:22:42AM -0000 schrieb seojeong kim via sssd-users:
> 2FA user, multi prompt changes to single prompt at the 4th try all the time.  
> 
> Is this flow intended  by FreIPA + SSSD ?   or can  it be configurable at 
> client side by changing something in /etc/sssd/sssd,conf   ?  
> I expect first/second factor for prompt  at the 4th attempt  as well.  
> 
> (seojeong)@xx.yyy.xx.yyy) First Factor: 
> (seojeong)@xx.yyy.xx.yyy) Second Factor: 
> (seojeong)@xx.yyy.xx.yyy) First Factor: 
> (seojeong)@xx.yyy.xx.yyy) Second Factor: 
> (seojeong)@xx.yyy.xx.yyy) First Factor: 
> (seojeong)@xx.yyy.xx.yyy) Second Factor: 
> seoje...@xx.yyy.xx.yyy's password:

Hi,

I assume you are using ssh and in your sshd configuration you have both
`PasswordAuthentication' and `KbdInteractiveAuthentication` (formerly
known as `ChallengeResponseAuthentication`) enabled. What you see is the
switch from `KbdInteractiveAuthentication`, which is needed to get
SSSD's special prompting, to `PasswordAuthentication` where the ssh
client is just asking for a password without using the PAM prompts from
the server side.

If you set `PasswordAuthentication no` in your /etc/ssh/sshd_config on
the server side you won't see the password anymore.

If you want to change how often the ssh client is asking for credentials
you have to use the `NumberOfPasswordPrompts` option on the client side
by either using it directly e.g.

    ssh -o NumberOfPasswordPrompts=4 -l myuser remotehost

or by adding it to /etc/ssh/ssh_config on all clients which should not
use the default of '3' prompts.

HTH

bye,
Sumit

> -- 
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue

-- 
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue