Hi all,
Using FreeIPA, 2FA can be made optional by enabling "Password" AND "Two
factor authentication (password + OTP)" for a user. For particular hosts
the 2FA now can be made mandatory by enabling "Two factor authentication
(password + OTP)"
Now, for hosts for which 2FA is NOT mandatory, according to the man
pages, 2FA can be made "invissible" by using the "single_prompt" option.
In man sssd.conf:
"If the second factor is optional and it should be possible to log in
either only with the password or with both factors two-step prompting
has to be used."
However, this doesn't work. When using the "single_prompt" login will
fail. Using two prompts, and just press enter for the second 2FA prompt,
login will succeed.
Hence: did I forget something or is there a bug involved?
FYI: tested on CentOS Stream9
--
email handtekening privé Met vriendelijke groet,
Winfried de Heiden
wdh(a)dds.nl