Aaron Hicks via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> As a workaround for another issue we have with using two-factor
> authentication, we're using pam_krb5 to change expired passwords, so in
> /etc/pam.d/password-auth-ac whe have changed the password section to be:
>
...
>
> This puts the user through a password reset process without the second
> factor interfering, but at the end they get shell. This is without the
> second factor.
>
>  
>
> Is there a parameter this so that the connection is disconnected instead, or
> the connection attempt is restarted?

I'd try pam_deny.  This should work for password section.

Jochen

-- 
This space is intentionally left blank.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to