Am Mon, Dec 13, 2021 at 01:34:12PM -0000 schrieb Sam Morris via FreeIPA-users: > I enabled OTP for my user. On RHEL and Fedora systems, I get the > expected interactive 'first factor' followed by 'second factor' > prompts which work fine. > > On a Debian system, PAM still only gives me the single 'Password:' > prompt and I have to enter the password + OTP at the same time. > > I'm not very familiar with where I need to be looking but I guess > starting with the version of pam_sss.so would be a good idea, I've got > 2.6.1-1 installed. Had a quick look through sssd.conf(5), sssd-ipa(5) > and sssd-krb5(5) and didn't see any options that seemed relevant to > OTP processing. Before I fire a bug report off to the Debian BTS, can > anyone suggest anything else I can check out?
Hi, I would suggest to look at the PAM configuration. Typically with PAM you let one module ask for the password and if it can't handle it the password will be forwarded to the next module. The drawback is that more modules only know about password and will only prompt you for a password. On RHEL and Fedora there are checks in the PAM configuration if the user trying to log in is a local user from /etc/passwd and then pam_unix ius called. Otherwise pam_unix will be skipped and pam_sss will be called directly and now pam_sss can determine with the help of SSSD how to prompt the user. HTH bye, Sumit > > Thanks > > -- > Sam Morris <https://robots.org.uk/> > PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
