URL: https://github.com/SSSD/sssd/pull/159 Author: sumit-bose Title: #159: pam: use authtok from PAM stack if available Action: opened PR body: """ With this patch the behavior of pam_sss is slightly changed to be more similar to the behavior of other PAM modules. Currently pam_sss expects that there is a authtok (password) on the PAM stack if the 'use_first_pass' option was used. Without the option pam_sss unconditionally prompts for credentials. With this patch pam_sss will use an authtok from the PAM stack even if 'use_first_pass' is not set but it will assume that it is a password. To return to the previous behavior the new 'prompt_always' can be used. Resolves https://fedorahosted.org/sssd/ticket/2984 Besides the use-case mentioned in the ticket with this change it should be possible to change the default PAM configuration in Fedora and RHEL to allow a fallback to pam_sss if pam_unix fails, so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass can be changed to auth [sufficient] pam_unix.so nullok try_first_pass 'sufficient' is equivalent to '[success=done new_authtok_reqd=done default=ignore]' so the 'default=die' is remove here and the next PAM modules is called. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/159/head:pr159 git checkout pr159