On Fri, Dec 18, 2020 at 05:01:48PM +0100, mbalembo wrote:
> Hello,
>
>
> I would like to configure pam_sss.so as to separate authentication methods ;
> in my case i use both password and smartcard.
>
> My problem is that when a smartcard is inserted, you can't use password
> anymore because
> it will prompt for the PIN and fail without fallback.
>
> Ideally i'd like to configure pam/sssd/sddm to try the "password" as a
> password, then try as a PIN for inserted smartcards.
> Can i configure sssd to do that ?
> My understanding in that even if you set pam_sss to/try_cert_auth/, it will
> not fallback to password if a smartcard is inserted.
Hi,
this is currently not possible because SSSD strongly tries to avoid
try-and-error methods. Imo your use case is even a good example why this
should be avoided.
Assuming that you have a Smartcard inserted but you use your password
for authentication. Since SSSD cannot know if it is the PIN or the
password it will try the input as PIN first and then tries password
verification. Depending on your Smartcard settings there is a fair
chance that your Smartcard will be locked after doing this 3 or 5 times.
If the password is checked first there is the same chance that your
account will be locked on the server side if you use the PIN for
authentication.
bye,
Sumit
>
>
> Thanks for your help,
> Marc
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org