This bug was initially created as a copy of Bug #1749279 I am copying this bug because: to track fix for RHEL8. Description of problem: When I configured 2FA prompting ([prompting/2fa]) in my sssd.conf, it did not have any effect until I also added blank [prompting/password]. sssd.conf: [prompting/2fa] single_prompt = True first_prompt = Password + OTP: Version-Release number of selected component (if applicable): sssd-ipa-2.2.0-16.el8.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IPA server and configure a user with OTP login enforced 2. Add prompting configuration to sssd.conf as mentioned above 3. Restart SSSD 4. ssh as the OTP user Actual results: $ ssh employee_otp.test First Factor: Second Factor: Activate the web console with: systemctl enable --now cockpit.socket [employee_otp@ipa /]$ Expected results: $ ssh employee_otp.test Password + OTP: Additional info: As mentioned, following sssd.conf setting can be used as a workaround: [prompting/password] [prompting/2fa] single_prompt = True first_prompt = Password + OTP token value
Pushed PR: https://github.com/SSSD/sssd/pull/6082 * `master` * 5c5a6b89e73094da92a33876896c7c0e87660294 - tests: allow to run single pam-srv-tests tests * 34829d3bc6ff90c916162ffcd1942285a16a735d - tests: add utilities for cmocka based unit tests * d8d25758a10dbc34815c5e7b012cd4ee3eb185dc - pam: fix section parsing issue
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7739