Hello the list,

 

As a workaround for another issue we have with using two-factor
authentication, we're using pam_krb5 to change expired passwords, so in
/etc/pam.d/password-auth-ac whe have changed the password section to be:

 

password    requisite     pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=

password    sufficient    pam_unix.so sha512 shadow try_first_pass
use_authtok

#password    sufficient    pam_sss.so use_authtok

password    sufficient    pam_krb5.so chpw_prompt=true use_authok
banner=Retype

 

This puts the user through a password reset process without the second
factor interfering, but at the end they get shell. This is without the
second factor.

 

Is there a parameter this so that the connection is disconnected instead, or
the connection attempt is restarted?

 

I've also tried changing the pam control 'sufficient' from:

 

[success=done new_authtok_reqd=done default=ignore]

 

To 

 

[default=ignore]

 

Regards,

 

Aaron Hicks

 

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to