Sometime around Centos 7.5, pam auth was changed to skip pam_unix except for local
accounts. The goal was to allow pam_sss to give multiple prompts for multiple factors.
This is nice in principle, but we’re having to back out. I thought sss maintainers and
other might want to know why.
We use FreeOTP for all systems staff and some users. Two prompts work fine for sshd and
other things where Redhat is responsible for maintenance. But it fails for everything
else. Examples: X2Go, Xrdp, Jupyterhub, Zeppelin, anything using LDAP authentication.
Indeed pretty much every web application or commercial applications that need to
authenticate.
It appears that at this point, at least in our environment, it’s not practical to use any
authentication that requires multiple prompts.
Show replies by date