On Пан, 27 мая 2024, seojeong kim via FreeIPA-users wrote:
IPA offline authentication mode doesn't work when sssd.conf has
sing_prompt = True for ipauserauthtype=otp user?
When I have a test, ipauserauthtype = otp.
singple_prompt = False,
first_factor = pwd :
second_factor = otp :
offline authentication works with above configuration but, when I set Single_prompt =
True,
offline authentication doesn't work.
That is expected. Offline authentication works by storing a hashed
version of a password locally and then comparing hashed version of an
entered password against this hash. As a result, when you use a single
prompt, there is no separate password to hash, the whole pin+token
sequence is hashed. Since token value changes each time, it will never
match the stored hashed version.
If you want offline authentication to work in such case, you have to
give up single prompting.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland