On Пан, 27 мая 2024, seojeong kim via FreeIPA-users wrote:
IPA offline authentication mode doesn't work when sssd.conf has sing_prompt =
True for ipauserauthtype=otp user?
When I have a test, ipauserauthtype = otp.
singple_prompt = False,
first_factor = pwd :
second_factor = otp :
offline authentication works with above configuration but, when I set
Single_prompt = True,
offline authentication doesn't work.
That is expected. Offline authentication works by storing a hashed
version of a password locally and then comparing hashed version of an
entered password against this hash. As a result, when you use a single
prompt, there is no separate password to hash, the whole pin+token
sequence is hashed. Since token value changes each time, it will never
match the stored hashed version.
If you want offline authentication to work in such case, you have to
give up single prompting.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
