... turns out I was 99% close to a solution.
The only thing left do do was calling
/usr/bin/pam-auth-update and
-deselecting "Unix authentication" -deselecting "SSS authentication" -selecting "Unix for local and sss for remote/OTP authentication"
the selected setting was added via the script from Jochen which has to be placed in
/usr/share/pam-configs/
and here's his script (just for reference)
------------------------------------------------------------------------ Name: Unix for local and sss for remote/OTP authentication Default: yes Priority: 256 Conflicts: unix, sss Auth-Type: Primary Auth: [default=1 success=ok] pam_localuser.so [success=end default=ignore] pam_unix.so nullok_secure try_first_pass requisite pam_succeed_if.so uid >= 1000 quiet_success [success=end default=ignore] pam_sss.so forward_pass Auth-Initial: [default=1 success=ok] pam_localuser.so [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass requisite pam_succeed_if.so uid >= 1000 quiet_success sufficient pam_sss.so forward_pass
Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_unix.so sufficient pam_localuser.so [default=bad success=ok user_unknown=ignore] pam_sss.so Account-Initial: [success=end new_authtok_reqd=done default=ignore] pam_unix.so sufficient pam_localuser.so [default=bad success=ok user_unknown=ignore] pam_sss.so Session-Type: Additional Session: required pam_unix.so optional pam_sss.so Session-Initial: required pam_unix.so optional pam_sss.so Password-Type: Primary Password: [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 sufficient pam_sss.so use_authtok Password-Initial: [success=end default=ignore] pam_unix.so obscure sha512 sufficient pam_sss.so
------------------------------------------------------------------------
have a nice weekend - and stay healthy, everyone!
Cheers, Thorsten
On 2020-03-21 15:55, Thorsten Johannsen via FreeIPA-users wrote:
Hello list!
Sorry for hijacking an old thread -- but this seems to be already 95% solution to my problem.
I have FreeIPA 4.8.0 installed and I'm trying to get OTP working. And it does work with CentOS8 - just not with Debian 10.
Searching the list I found this post describing exactly my situation.
What I do not understand is what modification to /etc/pam.d I have to make after copying the unix+sss script to /usr/share/pam-configs.
Can somebody give me a hint?
Thanks in advance,
Thorsten
On 06.02.18 06:34, Jochen Hein via FreeIPA-users wrote:
John Ratliff via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Okay, so the problem wasn't that it wasn't working; it's that I didn't understand the prompts. Debian only prompts for password, but wants password + OTP on the same field. CentOS prompts for First Factor / Second Factor.
Is there any way I can make it so that on Debian clients it asks for the factors separately as well?
Can you please look at /etc/pam.d? Debian uses pam_unix to get the password+OTP, CentOS/Fedora use pam_sss for non-local users. I've added the following to /usr/share/pam-configs and use that instead of pam_unix and pam_sss.
Jochen
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...