Sometime around Centos 7.5, pam auth was changed to skip pam_unix except for local accounts. The goal was to allow pam_sss to give multiple prompts for multiple factors.
This is nice in principle, but we’re having to back out. I thought sss maintainers and other might want to know why. We use FreeOTP for all systems staff and some users. Two prompts work fine for sshd and other things where Redhat is responsible for maintenance. But it fails for everything else. Examples: X2Go, Xrdp, Jupyterhub, Zeppelin, anything using LDAP authentication. Indeed pretty much every web application or commercial applications that need to authenticate. It appears that at this point, at least in our environment, it’s not practical to use any authentication that requires multiple prompts. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
