Hello all,

when using smart card auth with pam_pkcs11 there is an option to set 'nullok' to true/false. Setting it to false effectively makes pam_pkcs11 ignore empty pin entries (this option is also available for pam_unix and set to false as default). So if I get a pin prompt and just press Enter it is not regarded as an authentication attempt.

Is there anything similar with pam_sss? Default behaviour seems to be to regard empty inputs as an auth attempt, so if I run sudo and just press Enter a couple of times this counts as failed auth attempts and will consequently lock my smart card. Which is not what I want.