With pam_securid.so

I can on /etc/pam.d/sshd

auth sufficient pam_securid.so

and at ssh login, I just put PIN at Password: prompt and then I get Enter SMS Token: prompt and I can then put the

tokencode and I can ssh into the server fine.

If I do the same with pam_sss.so it keeps asking for Password: and never changes the prompt to Enter SMS Token: and ssh fails badly.

At this second Password: prompt I tried with just tokencode (at 18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let

me in and failed eventually.

I think it is because pam_sss -> proxy -> securid -> pam_securd is failing to handle PAM conversation?

Is there a way to fix that to so pam_sss to behave the right way and let authenticate in two steps with PIN and then TokenCode on next step?

Also without this PAM conversation, when the PIN expires it will not let you update it. With simple pam.d/sshd and auth sufficient pam_securid.so

that works very well as well.

I have sssd.conf setup like this

auth_server = proxy

proxy_target_pam = securid

And in pam.d/securid file

auth sufficient pam_securid.so

Here are some log http://dpaste.com/2HD27XH.txt where

I tried with PIN at first Password: prompt and then TokenCode at second Password: prompt at 18:45:34 and failed to login

And

I tried with PIN at first Password: prompt and then PIN and TokenCode at second Password: prompt at 18:47:55 and failed to login

I tried with SElinux off and on and same result

If I put PIN and TokenCode at the first Password: prompt, login works fine . I did not put any log for that here.

Any suggestion how to fix pam_sss for OTP?

Thanks!

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?