On Mon, Jan 04, 2021 at 05:23:58PM +0100, mbalembo wrote: > Hi, > > My case comme from GUI login (sddm) not talking with the pam stack like > login/ssh > do (with login you got a prompt for a password or for a PIN with the > token/smarcard > name displayed to the user). > This way, there is no lock-out problem. > > Currently, my pam_sss.so does not have the try_cert_auth option, > and sssd.conf seems to do all the work. > I will change that to use Spike solution. > > My goal is to modify sddm so you chose how you want to authenticate before > going to the pam/sssd stack so you can select the right token between > multiple plugged > smartcards or plain password and avoiding lock-outs.
Hi, this sounds similar to what gdm is already doing. E.g. for selecting the right certificate gdm offers a PAM extension, see https://gitlab.gnome.org/GNOME/gdm/-/tree/master/pam-extensions and https://github.com/SSSD/sssd/blob/master/src/sss_client/pam_sss.c#L1672 for how SSSD is using it. bye, Sumit > > Thanks for the help ! > Marc > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
