This setup also failed miserably where pam.d/sshd first two lines like below

auth       required
auth       include      system-auth-ac_new

And using your pam.d/system-auth-ac_new 

So it does give you the right prompt 'Enter SMS Token:' when just put PIN at first login prompt. But after putting SMS token on the next prompt
it goes back to Password: prompt again. Even worse is now it does not even work with giving both PIN and TokenCode at the first prompt either.

Any other suggestion? Does anyone work with SSS and OTP at all?

Seems like I should just not use sss since OTP is a *must* requirement.

On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi <> wrote:

My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your users, the easiest would be to configure sd_pam.conf to use a different prompt for RSA.

$ egrep ^AUTH /etc/sd_pam.conf
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :

Now back to your question, I believe you need to define a new system-auth file to be used, in my case

system-auth-ac_new with custom pam config. This is a working rsa + sssd (openldap ) setup, I am not sure about proxy as I haven't used it before.

$ cat /etc/pam.d/sshd
auth       required reserve
auth       include      system-auth-ac_new
account    required
account    include      system-auth-ac_new
password   include      system-auth-ac_new
session    optional force revoke
session    include      system-auth-ac_new
session    required

$ cat /etc/pam.d/system-auth-ac_new
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        sufficient
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        required

account     [default=bad success=ok user_unknown=ignore]
#account     required
account     required broken_shadow
account     sufficient
account     sufficient uid < 500 quiet
account     required

password    sufficient use_authtok
password    requisite try_first_pass retry=3 type=
password    sufficient sha512 shadow nullok try_first_pass use_authtok
password    required

session     optional
session     optional revoke
session     required
session     optional
session     [success=1 default=ignore] service in crond quiet use_uid
session     required

On 10/26/2017 07:34 PM, Asif Iqbal wrote:

I can on /etc/pam.d/sshd

   auth sufficient 

and at ssh login, I just put PIN at Password: prompt and then I get Enter SMS Token: prompt and I can then put the 
tokencode and I can ssh into the server fine.

If I do the same with it keeps asking for Password: and never changes the prompt to Enter SMS Token: and ssh fails badly.
At this second Password: prompt I tried with just tokencode (at 18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let
me in and failed eventually. 

I think it is because pam_sss -> proxy -> securid -> pam_securd is failing to handle PAM conversation?

Is there a way to fix that to so pam_sss to behave the right way and let authenticate in two steps with PIN and then TokenCode on next step?

Also without this PAM conversation, when the PIN expires it will not let you update it. With simple pam.d/sshd and auth sufficient
that works very well as well.

I have sssd.conf setup like this
   auth_server = proxy
   proxy_target_pam = securid

And in pam.d/securid file 
  auth sufficient

Here are some log where
   I tried with PIN at first Password: prompt and then TokenCode at second Password: prompt at 18:45:34 and failed to login
   I tried with PIN at first Password: prompt and then PIN and TokenCode at second Password: prompt at 18:47:55 and failed to login

I tried with SElinux off and on and same result

If I put PIN and TokenCode at the first Password: prompt, login works fine . I did not put any log for that here.

Any suggestion how to fix pam_sss for OTP?



Asif Iqbal
PGP Key: 0xE62693C5 KeyServer:
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

sssd-users mailing list --
To unsubscribe send an email to

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer:
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?