On Пан, 27 мая 2024, seojeong kim via FreeIPA-users wrote:
IPA offline authentication mode doesn't work when sssd.conf has sing_prompt = True for ipauserauthtype=otp user? When I have a test, ipauserauthtype = otp.
singple_prompt = False, first_factor = pwd : second_factor = otp :
offline authentication works with above configuration but, when I set Single_prompt = True, offline authentication doesn't work.
That is expected. Offline authentication works by storing a hashed version of a password locally and then comparing hashed version of an entered password against this hash. As a result, when you use a single prompt, there is no separate password to hash, the whole pin+token sequence is hashed. Since token value changes each time, it will never match the stored hashed version.
If you want offline authentication to work in such case, you have to give up single prompting.