Hi all,

Using FreeIPA, 2FA can be made optional by enabling "Password" AND "Two factor authentication (password + OTP)" for a user. For particular hosts the 2FA now can be made mandatory by enabling "Two factor authentication (password + OTP)"

Now, for hosts for which 2FA is NOT mandatory, according to the man pages, 2FA can be made "invissible" by using the "single_prompt" option. In man sssd.conf:

"If the second factor is optional and it should be possible to log in either only with the password or with both factors two-step prompting has to be used."

However, this doesn't work. When using the "single_prompt" login will fail. Using two prompts, and just press enter for the second 2FA prompt, login will succeed.

Hence: did I forget something or is there a bug involved?

FYI: tested on CentOS Stream9


--
email handtekening privé Met vriendelijke groet,

Winfried de Heiden
wdh@dds.nl