Marc, Sumit raises a good point about account lock-outs. But if that is not a concern for you, it seems that you could accomplish this in your PAM stack. Right now, you probably have something like:
... auth sufficient pam_sss.so forward_pass try_cert_auth ... account [default=ignore perm_denied=bad success=ok user_unknown=ignore] pam_sss.so quiet So you could change this first pam_sss auth line to something like: auth sufficient pam_sss.so forward_pass try_cert_auth auth sufficient pam_sss.so forward_pass That is, try smart card first and if it fails, invoke pam_sss again, specifying password auth. This has the disadvantage of calling pam_sss twice (which should not be too costly due to sssd's local cache). It also could have 2x the failure attempts, but if you rely on another PAM module for lock-out (like pam_faillock), you'll increment your failures only once. Spike On Fri, Dec 18, 2020 at 10:49 AM Sumit Bose <[email protected]> wrote: > On Fri, Dec 18, 2020 at 05:01:48PM +0100, mbalembo wrote: > > Hello, > > > > > > I would like to configure pam_sss.so as to separate authentication > methods ; > > in my case i use both password and smartcard. > > > > My problem is that when a smartcard is inserted, you can't use password > > anymore because > > it will prompt for the PIN and fail without fallback. > > > > Ideally i'd like to configure pam/sssd/sddm to try the "password" as a > > password, then try as a PIN for inserted smartcards. > > Can i configure sssd to do that ? > > My understanding in that even if you set pam_sss to/try_cert_auth/, it > will > > not fallback to password if a smartcard is inserted. > > Hi, > > this is currently not possible because SSSD strongly tries to avoid > try-and-error methods. Imo your use case is even a good example why this > should be avoided. > > Assuming that you have a Smartcard inserted but you use your password > for authentication. Since SSSD cannot know if it is the PIN or the > password it will try the input as PIN first and then tries password > verification. Depending on your Smartcard settings there is a fair > chance that your Smartcard will be locked after doing this 3 or 5 times. > > If the password is checked first there is the same chance that your > account will be locked on the server side if you use the PIN for > authentication. > > bye, > Sumit > > > > > > > Thanks for your help, > > Marc > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
