Configuration: OS:Kubuntu 20.04 LTS, Yubikey 5 with PIV, sssd version: 2.2.3-3, testing in terminal session without graphic interface to exclude problems from graphic interface In case when OTP is disabled and yubikey inserted, in login process I get correct prompt for smartcard pin. But when OTP is configured in IPA and yubikey inserted, instead getting prompt for smart card pin I get prompt for first factor and second factor. In /etc/sssd/sssd.conf [pam] section I have enabled pam_cert_auth. I attatch 2 logs from sssd, one with enabled and one with disabled otp. When I configured second computer the same way few weeks ago, everything works okey, but now I have to disable otp to make smartcard work correctly
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass prompt_always # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_cap.so # end of pam-auth-update config
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Jan Ufnalski
freeipa-users@lists.fedorahosted.org