This may not be entirely sssd related, but hopefully I can tap some PAM expertise.
I'm trying to work out a pam configuration that will always require a OTP via google_authenticator in combination with any other auth method - gssapi, key, or password.
I've tried to this with this sshd config:
# Kerberos / Public Key + PAM AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam publickey,keyboard-interactive:pam password,keyboard-interactive:pam
and pam:
auth [success=done new_authtok_reqd=done default=ok] pam_google_authenticator.so auth substack password-auth
The idea being that if ga prompts for a token, we're done, and sshd's password auth handles the password case.
But with this config, sshd fails with:
sshd[23879]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=USER sshd[23879]: debug1: PAM: password authentication failed for USER: The return value should be ignored by PAM dispatch
Which may be a bug/limitation in sshd, but I don't think I'm able to fix that.
At this point I'm think of something like:
auth [success=done new_authtok_reqd=done] pam_google_authenticator.so auth sufficient "return success if no auth token is given" auth substack password-auth
But how to achieve it? Thanks.
sssd-users@lists.fedorahosted.org