This repository was archived by the owner on Mar 8, 2023. It is now read-only.
This repository was archived by the owner on Mar 8, 2023. It is now read-only.
Allow distinction between password/keyboard-interactive #22
Description
When sshd is set to UsePAM, password authentication will use the PrivacyIdea pam module as well as the regular password authentication in a regular prompt without the custom text of the pam module. Forcing one mode instead of both would allow sshd to use 2 authentications like password,keyboard-interactive or publickey,keyboard-interactive and prompt for 2fa only during the keyboard-interactive phase and return PAM_AUTHINFO_UNAVAIL during keyboard phase.
In the common-auth configuration file, this would look like this:
auth [default=ignore success=ok] pam_localuser.so
auth [success=3 authinfo_unavail=ignore default=die] pam_python.so /path/privacyidea_pam.py url=https://localhost prompt=Enter_your_2FA_Token realm=myrealm
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
This is inspired by the article : https://sudonull.com/post/73132-Experience-implementing-2fa-on-linux-with-duosecurity-QIWI-Blog
in which the person inspects the response to get the difference between both modes.