On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
> Hello everybody,
>
>
> I am looking for a way to have different authentication policy for a
> freeia-client logout and screenlock on linux workstations.
>
> When a user logs in I want to use my password+otp (this is working)!
>
> When a user locks it screen I want to be able unlock it with only the
> password.
>
> When a user logs out and back in then it needs to use the password+otp
> again.
>
> I am aware of the security implications for this.
>
> How can I configure this policy?
I don't think there is a way to deploy such policy through SSSD at all.
Currently this is not possible, one problem already is that gdm at login
and the Gnome screen lock use the same pam service (gdm-password). So at
least for the default RHEL/Fedora desktop pam_sss.so has to detect in
what kind of process it is running and send this information besides the
PAM service to SSSD. This might be a little bit easier if other screen
savers are used but I think a solution should covers the default
desktop.
The configurable prompting I'm working on (WIP design page at
https://pagure.io/fork/sbose/SSSD/docs/blob/18821451b62f0f3dcc0f5822e5a38...
comments and suggestions welcome) might help a bit, but as said login
and screen saver must use different PAM services to make it work.
HTH
bye,
Sumit
>
> Jakub, do you have an idea how to make that possible?
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...