Hi, I'm still working on my Debian systems to get local login to work with OTP.
In /etc/pam.d/common-auth we have: auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass On CentOS we have something more complicated in /etc/pam.d/system-auth: auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass I think we need something more elaborated for debian to replicate the (good!) experience from CentOS when asking for "First/Second Factor". The four lines from above work well, but how can we get that into pam-auth-update? Any ideas how this could be packaged? Jochen -- The only problem with troubleshooting is that the trouble shoots back. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
