On Fri, Feb 20, 2015 at 04:53:31PM +0100, Jakub Hrozek wrote: > On Fri, Feb 20, 2015 at 04:33:58PM +0100, Sumit Bose wrote: > > > I'm curious about the splitting. Can you learn what the factors are if > > > the service doesn't offer the smart prompting? (For instance, if OTP > > > users only ever logged in with SSH) > > > > no, in this case we always do 1FA from the SSSD point of view as we do > > now. > > Which means we would never have the offline support..this is something > we need to document. Then again, offline support is mostly useful for > workstations, where you're likely to use a login method that allows > smarter prompting.
yes, offline support will only work if the two factor are entered separately. If e.g. you always put long-term+OTP in the first gdm prompt and leave the second empty you will be able to log in but offline support won't work as well. We cannot enforce this from the pam_sss side, because we would break services which can only handle one prompt. bye, Sumit > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
