... turns out I was 99% close to a solution.
The only thing left do do was calling
/usr/bin/pam-auth-update and
-deselecting "Unix authentication"
-deselecting "SSS authentication"
-selecting "Unix for local and sss for remote/OTP authentication"
the selected setting was added via the script from Jochen which has
to be placed in
/usr/share/pam-configs/
and here's his script (just for reference)
------------------------------------------------------------------------
Name: Unix for local and sss for remote/OTP authentication
Default: yes
Priority: 256
Conflicts: unix, sss
Auth-Type: Primary
Auth:
[default=1 success=ok] pam_localuser.so
[success=end default=ignore] pam_unix.so nullok_secure
try_first_pass
requisite pam_succeed_if.so uid >= 1000 quiet_success
[success=end default=ignore] pam_sss.so forward_pass
Auth-Initial:
[default=1 success=ok] pam_localuser.so
[success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
requisite pam_succeed_if.so uid >= 1000 quiet_success
sufficient pam_sss.so forward_pass
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
sufficient pam_localuser.so
[default=bad success=ok user_unknown=ignore] pam_sss.so
Account-Initial:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
sufficient pam_localuser.so
[default=bad success=ok user_unknown=ignore] pam_sss.so
Session-Type: Additional
Session:
required pam_unix.so
optional pam_sss.so
Session-Initial:
required pam_unix.so
optional pam_sss.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok
try_first_pass sha512
sufficient pam_sss.so use_authtok
Password-Initial:
[success=end default=ignore] pam_unix.so obscure sha512
sufficient pam_sss.so
------------------------------------------------------------------------
have a nice weekend - and stay healthy, everyone!
Cheers,
Thorsten
On 2020-03-21 15:55, Thorsten Johannsen via FreeIPA-users wrote:
Hello list!
Sorry for hijacking an old thread -- but this seems to be already 95%
solution to my problem.
I have FreeIPA 4.8.0 installed and I'm trying to get OTP working.
And it does work with CentOS8 - just not with Debian 10.
Searching the list I found this post describing exactly my situation.
What I do not understand is what modification to /etc/pam.d I have to
make after copying the unix+sss script to /usr/share/pam-configs.
Can somebody give me a hint?
Thanks in advance,
Thorsten
On 06.02.18 06:34, Jochen Hein via FreeIPA-users wrote:
> John Ratliff via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
> writes:
>
>> Okay, so the problem wasn't that it wasn't working; it's that I
didn't
>> understand the prompts. Debian only prompts for password, but wants
>> password + OTP on the same field. CentOS prompts for First Factor /
>> Second Factor.
>>
>> Is there any way I can make it so that on Debian clients it asks for
>> the factors separately as well?
>
> Can you please look at /etc/pam.d? Debian uses pam_unix to get the
> password+OTP, CentOS/Fedora use pam_sss for non-local users. I've added
> the following to /usr/share/pam-configs and use that instead of pam_unix
> and pam_sss.
>
>
>
> Jochen
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...