** Summary changed: - Using SSS authentication with TOTP prompts requires disabling Unix authentication + Calling pam_sss module only after pam_unix denies does not allow the sss module to prompt for 2FA
** Description changed: - lsb-release (behaves the same on all recent releases except for *caveat around Resolute below): + lsb-release (behaves the same on all recent releases except for *caveat around Resolute below): Description: Ubuntu 24.04.4 LTS Release: 24.04 libpam-runtime: - Installed: 1.5.3-5ubuntu5.5 + Installed: 1.5.3-5ubuntu5.5 What happens. FreeIPA enrolled clients do not prompt users for TOTP when it's a configured indicator. What should happen. USers should be prompted for a TOTP if it's configured as a required or optional indicator. The pam_sss module (SSS authentication in pam-auth-update) is capable of doing this prompting and acting accordingly, but the user is only prompted at login / su if the "Unix authentication" / pam_unix is - disabled with pam-auth-update. + disabled with pam-auth-update or pam_unix is skipped for non local + users. Disabling pam_unix of course prevents local users from logging in, which - is sub optimal! - - I have tried to get closer to the redhat / rocky pam configs to get the - desired behaviour with both modules functioning correctly, but not - succeeded yet. + is sub optimal. pam-auth-update does not generate a config that allows + non-local users to be authed against pam_sss without having first + attempted pam_unix. *This has become more pertinent due to a bug in Resolute which I haven't yet reported. With pam_sss and pam_unix both enabled, a user with [password , password+otp] indicators configured has to provide the password and otp concatenated despite password without otp being an "allowed" mechanism. When the pam_unix is disabled pam_sss is able to prompt for the otp and allows login with or without otp according to the indicators the host is configured for. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2146581 Title: Calling pam_sss module only after pam_unix denies does not allow the sss module to prompt for 2FA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2146581/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
