Hi all,
Using FreeIPA, 2FA can be made optional by enabling "Password"
AND "Two factor authentication (password + OTP)" for a user. For
particular hosts the 2FA now can be made mandatory by enabling
"Two factor authentication (password + OTP)"
Now, for hosts for which 2FA is NOT mandatory, according to the
man pages, 2FA can be made "invissible" by using the
"single_prompt" option. In man sssd.conf:
"If the second factor is optional and it should be possible to log
in either only with the password or with both factors two-step
prompting has to be used."
However, this doesn't work. When using the "single_prompt" login
will fail. Using two prompts, and just press enter for the second
2FA prompt, login will succeed.
Hence: did I forget something or is there a bug involved?
FYI: tested on CentOS Stream9