On Mon, Mar 18, 2019 at 04:40:48PM +0000, Charles Hedrick wrote: > Sometime around Centos 7.5, pam auth was changed to skip pam_unix except for > local accounts. The goal was to allow pam_sss to give multiple prompts for > multiple factors. > > This is nice in principle, but we’re having to back out. I thought sss > maintainers and other might want to know why. > > We use FreeOTP for all systems staff and some users. Two prompts work fine > for sshd and other things where Redhat is responsible for maintenance. But it > fails for everything else. Examples: X2Go, Xrdp, Jupyterhub, Zeppelin, > anything using LDAP authentication. Indeed pretty much every web application > or commercial applications that need to authenticate. > > It appears that at this point, at least in our environment, it’s not > practical to use any authentication that requires multiple prompts.
Hi, jfyi, I'm currently working on making the prompting more configurable/flexible. You can find my WIP design page at https://pagure.io/fork/sbose/SSSD/docs/blob/18821451b62f0f3dcc0f5822e5a38736eaf26261/f/design_pages/prompting_configuration.rst Comments and suggestions are welcome. bye, Sumit > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
