Hello, I've been writing some text to integrate freeipa/sssd with openconnect server [0], and for single password or OTP that seems to integrate seamlessly. However, when PAM-SSSD is configured to use smart cards, that only works with locally inserted cards. That is even if one uses the smart card to establish the channel used for VPN, the PAM module wouldn't know that. Would it make sense to use a flag (e.g., via pam_putenv()) and the caller of the PAM functions set the information provided by the certificate used for the session for SSSD to assume a card is present? (*)
regards, Nikos [0]. https://github.com/openconnect/recipes/blob/master/ocserv-freeipa.md (*). Unfortunately with TLS you can verify a signature from a smart card but you cannot have a proof that you did it recently. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel