On Fri, Feb 20, 2015 at 12:23:37PM +0100, Sumit Bose wrote: > > > > Or is the expected workflow to run the pre-authentication, and if it > > determines 2FA is to be used, just store the Login + Password as > > captured by mod_intercept_form_submit from the logon POST, not submit > > the first password at all, and redired to that extra page to ask for > > the second factor? > > If the backend supports 2FA pam_sss will run the pre-auth request to see > is 2FA is configured for the given user or not. Depending on the result > pam_sss will call the pam_conversation function which you provide with > pam_start with either '1' or '2' as the first argument. So the > application can see easily if 1 or 2 factors are expected. If the > application fill only the first factor, like e.g. ssh with password > authentication, pam_sss will treat the input as a combine token where > long term password and OTP are given in a single string to assure > backward compatibility. With this there is no need to change the > application side. Only if the application wants to support the special > separate prompting for the two factors if should check the first > argument of pam_conversation and act accordingly. > > Does this answer your questions?
Ah, so the conversation function will be passed both messages in one call (for the 2FA situation), rather than being called twice? That makes it easier. If at that point the caller (mod_authnz_pam.c) decides it needs to redirect to different web page to prompt the user with multiple password textfields and returns PAM_CONV_ERR, will that count as failed authentication on the backend side? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
