that looks good, mostly. In my case it looks like I’m going to have to force a single prompt for all of ssh. At that point I might as well do it for everything, to minimize user confusion. So I won’t use all that flexibility.
Why do I have to force a single password for ssh? X2Go uses ssh. It can’t support multiple prompts. But there’s no obvious way to tell when ssh is being used by X2Go. sshd call pam_authenticate with a minimum of environment variables, none of which have information that would help. You might consider allowing a configurable delimiter character when the two factors are combined. There are situations where this won’t work. But in most cases the one-time part is going to use a limited character set, so looking for the last occurrence of the delimiter should work. You should know when two factors are in use because of the preauthentication type. For the offline case you’d want the user’s cache entry to include a bit saying whether 2FA was used. That way you know whether to look for the delimiter. > On Mar 18, 2019, at 1:06 PM, Sumit Bose <[email protected]> wrote: > > On Mon, Mar 18, 2019 at 04:40:48PM +0000, Charles Hedrick wrote: >> Sometime around Centos 7.5, pam auth was changed to skip pam_unix except for >> local accounts. The goal was to allow pam_sss to give multiple prompts for >> multiple factors. >> >> This is nice in principle, but we’re having to back out. I thought sss >> maintainers and other might want to know why. >> >> We use FreeOTP for all systems staff and some users. Two prompts work fine >> for sshd and other things where Redhat is responsible for maintenance. But >> it fails for everything else. Examples: X2Go, Xrdp, Jupyterhub, Zeppelin, >> anything using LDAP authentication. Indeed pretty much every web application >> or commercial applications that need to authenticate. >> >> It appears that at this point, at least in our environment, it’s not >> practical to use any authentication that requires multiple prompts. > > Hi, > > jfyi, I'm currently working on making the prompting more > configurable/flexible. > You can find my WIP design page at > https://pagure.io/fork/sbose/SSSD/docs/blob/18821451b62f0f3dcc0f5822e5a38736eaf26261/f/design_pages/prompting_configuration.rst > > Comments and suggestions are welcome. > > bye, > Sumit > >> >> >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
