On Fri, Feb 20, 2015 at 01:25:42PM +0100, Jan Pazdziora wrote: > On Fri, Feb 20, 2015 at 12:23:37PM +0100, Sumit Bose wrote: > > > > > > Or is the expected workflow to run the pre-authentication, and if it > > > determines 2FA is to be used, just store the Login + Password as > > > captured by mod_intercept_form_submit from the logon POST, not submit > > > the first password at all, and redired to that extra page to ask for > > > the second factor? > > > > If the backend supports 2FA pam_sss will run the pre-auth request to see > > is 2FA is configured for the given user or not. Depending on the result > > pam_sss will call the pam_conversation function which you provide with > > pam_start with either '1' or '2' as the first argument. So the > > application can see easily if 1 or 2 factors are expected. If the > > application fill only the first factor, like e.g. ssh with password > > authentication, pam_sss will treat the input as a combine token where > > long term password and OTP are given in a single string to assure > > backward compatibility. With this there is no need to change the > > application side. Only if the application wants to support the special > > separate prompting for the two factors if should check the first > > argument of pam_conversation and act accordingly. > > > > Does this answer your questions? > > Ah, so the conversation function will be passed both messages in one > call (for the 2FA situation), rather than being called twice? That > makes it easier. > > If at that point the caller (mod_authnz_pam.c) decides it needs to > redirect to different web page to prompt the user with multiple > password textfields and returns PAM_CONV_ERR, will that count as > failed authentication on the backend side?
This kind of failure does not even go to the backends it just happens in the PAM stack. - the application (mod_authnz_pam.c) calls pam_start() with a user name and a pam_conversation callback - the application calls pam_authenticate() - libpam will run pam_sm_authenticate() from pam_sss. - pam_sss runs the pre-auth request to see which prompting is needed - pam_sss will call the pam_conversation callback provide by pam_start() - if the callback returns an error pam_sss will return this error code - pam_authenticate() in the application returns the error code. So the calling application will see PAM_CONV_ERR but not the backends. HTH bye, Sumit > > -- > Jan Pazdziora > Principal Software Engineer, Identity Management Engineering, Red Hat > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
