Hello the list,


As a workaround for another issue we have with using two-factor
authentication, we're using pam_krb5 to change expired passwords, so in
/etc/pam.d/password-auth-ac whe have changed the password section to be:


password    requisite     pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=

password    sufficient    pam_unix.so sha512 shadow try_first_pass

#password    sufficient    pam_sss.so use_authtok

password    sufficient    pam_krb5.so chpw_prompt=true use_authok


This puts the user through a password reset process without the second
factor interfering, but at the end they get shell. This is without the
second factor.


Is there a parameter this so that the connection is disconnected instead, or
the connection attempt is restarted?


I've also tried changing the pam control 'sufficient' from:


[success=done new_authtok_reqd=done default=ignore]








Aaron Hicks


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to