Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and things like RDP will work with OTP.
Here’s the default in password-auth and system-auth for Centos 7 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass This causes local users and users with UID < 1000 to use Unix, otherwise go directly to sss. You can add another line to test for specific services, and force pam_unix, i.e. a single prompt, e.g. auth [success=2 default=ignore] pam_succeed_if.so service in lightdm:xrdp-sesman. auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass The one that gets messy is x2go, because it uses ssh, and can’t be detected by a service test. > On Mar 19, 2019, at 2:16 PM, Jelle de Jong via FreeIPA-users > <[email protected]> wrote: > > Hello everybody, > > Thank you all for replying. > > On 18/03/2019 20:44, Jakub Hrozek wrote: >> On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote: >>> On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote: >>>> Hello everybody, >>>> >>>> >>>> I am looking for a way to have different authentication policy for a >>>> freeia-client logout and screenlock on linux workstations. >>>> >>>> When a user logs in I want to use my password+otp (this is working)! >>>> >>>> When a user locks it screen I want to be able unlock it with only the >>>> password. >>>> >>>> When a user logs out and back in then it needs to use the password+otp >>>> again. >>>> >>>> I am aware of the security implications for this. >>>> >>>> How can I configure this policy? >>> I don't think there is a way to deploy such policy through SSSD at all. >>> >>> Jakub, do you have an idea how to make that possible? >> Currently I can't think of anything clean either. Is the lock screen and the >> login manager the same PAM service? If they are different, maybe some >> hack like letting pam_unix to always read the password and then just >> pass it on to pam_sss would work.. >> But I know Sumit is working on improving the 2FA prompting lately, so >> maybe this will be improved in the upcoming release. > > I seem to have mate-screensaver, lightdm and xrdp-sesman. > > Will that be enough to hook a custom pam rule together for mate-screensaver? > > If not is it possible to disable OTP for all the destkop systems in > sssd.conf? and have it still working for all other systems with > --user-auth-type=otp as only enabled option in freeipa? > > Also for laptop systems in offline > > disable_preauth > forward_pass > > Mar 19 18:54:50 workstation01 mate-screensaver-dialog: > pam_unix(mate-screensaver:auth): authentication failure; logname= > uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong > > Mar 19 18:54:51 workstation01 mate-screensaver-dialog: > pam_sss(mate-screensaver:auth): authentication success; logname= > uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong > > Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth): > authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= > user=jdejong > > Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth): > authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= > user=jdejong > > Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong > > Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication > success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong > > cat /etc/pam.d/mate-screensaver > @include common-auth > auth optional pam_gnome_keyring.so > > cat /etc/pam.d/common-auth > # > # /etc/pam.d/common-auth - authentication settings common to all services > # > # This file is included from other service-specific PAM config files, > # and should contain a list of the authentication modules that define > # the central authentication scheme for use on the system > # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the > # traditional Unix authentication mechanisms. > # > # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. > # To take advantage of this, it is recommended that you configure any > # local modules either before or after the default block, and use > # pam-auth-update to manage selection of other modules. See > # pam-auth-update(8) for details. > > # here are the per-package modules (the "Primary" block) > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_sss.so use_first_pass > # here's the fallback if no module succeeds > auth requisite pam_deny.so > # prime the stack with a positive return value if there isn't one already; > # this avoids us returning an error just because nothing sets a success code > # since the modules above will each just jump around > auth required pam_permit.so > # and here are more per-package modules (the "Additional" block) > auth optional pam_ecryptfs.so unwrap > auth optional pam_cap.so > # end of pam-auth-update config > > sssd 1.16.1-1ubuntu1.1 > > root@workstation01:~# ls -hal /etc/pam.d/ > total 136K > drwxr-xr-x 2 root root 4,0K Mar 15 11:35 . > drwxr-xr-x 161 root root 12K Mar 19 18:22 .. > -rw-r--r-- 1 root root 384 Jan 25 2018 chfn > -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd > -rw-r--r-- 1 root root 581 Jan 25 2018 chsh > -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account > -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth > -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password > -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session > -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive > -rw-r--r-- 1 root root 606 Nov 16 2017 cron > -rw-r--r-- 1 root root 69 Mar 27 2018 cups > -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm > -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin > -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter > -rw-r--r-- 1 root root 4,9K Jan 25 2018 login > -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver > -rw-r--r-- 1 root root 92 Jan 25 2018 newusers > -rw-r--r-- 1 root root 520 Apr 4 2018 other > -rw-r--r-- 1 root root 92 Jan 25 2018 passwd > -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1 > -rw-r--r-- 1 root root 168 Feb 26 2018 ppp > -rw-r--r-- 1 root root 143 Feb 14 2018 runuser > -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l > -rw-r--r-- 1 root root 84 Nov 8 19:09 samba > -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd > -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils > -rw-r--r-- 1 root root 2,3K Jan 25 2018 su > -rw-r--r-- 1 root root 239 Jan 18 2018 sudo > -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user > -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman > > Thank you in advance! > > Kind regards, > > Jelle de Jong > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
