Public bug reported:
lsb-release (behaves the same on all recent releases except for *caveat around
Resolute below):
Description: Ubuntu 24.04.4 LTS
Release: 24.04
libpam-runtime:
Installed: 1.5.3-5ubuntu5.5
What happens. FreeIPA enrolled clients do not prompt users for TOTP when it's a
configured indicator.
What should happen. USers should be prompted for a TOTP if it's configured as a
required or optional indicator.
The pam_sss module (SSS authentication in pam-auth-update) is capable of
doing this prompting and acting accordingly, but the user is only
prompted at login / su if the "Unix authentication" / pam_unix is
disabled with pam-auth-update.
Disabling pam_unix of course prevents local users from logging in, which
is sub optimal!
I have tried to get closer to the redhat / rocky pam configs to get the
desired behaviour with both modules functioning correctly, but not
succeeded yet.
*This has become more pertinent due to a bug in Resolute which I haven't
yet reported. With pam_sss and pam_unix both enabled, a user with
[password , password+otp] indicators configured has to provide the
password and otp concatenated despite password without otp being an
"allowed" mechanism. When the pam_unix is disabled pam_sss is able to
prompt for the otp and allows login with or without otp according to the
indicators the host is configured for.
** Affects: pam (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2146581
Title:
Using SSS authentication with TOTP prompts requires disabling Unix
authentication
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2146581/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
