search

himmelblau-idm / himmelblau

Azure Entra ID Authentication, with PAM and NSS modules.
GNU General Public License v3.0
39 stars 8 forks source link

Allow for for the 2fa code to be passed along with password or username #197

Open tastle73 opened 2 weeks ago

tastle73 commented 2 weeks ago

I have a couple of use cases where the UI does not support prompting for a second factor.

I think there is a way with the pam stack to prompt for both on the password prompt? Not sure.

If there were a way to exclude certain daemons on the system from 2fa, that would work too.

dmulder commented 2 weeks ago

I have a couple of use cases where the UI does not support prompting for a second factor.

Can you be more specific about your use cases?

I think there is a way with the pam stack to prompt for both on the password prompt? Not sure.

If there were a way to exclude certain daemons on the system from 2fa, that would work too.

We could potentially do something like provide a pam option which bypasses MFA, and then you can have a custom pam configuration for that particular daemon.

dmulder commented 2 weeks ago

I'm wondering if we could configure a service-specific hello key. In other words, you'd have a different passcode for the specified service. Would that make sense in your environment?

tastle73 commented 2 weeks ago

I have a couple of use cases where the UI does not support prompting for a second factor.

Can you be more specific about your use cases?

Sure! xrdp is the first thing that comes to mind. It does have its own pam stack file. Another is Apache Guacamole.

I think there is a way with the pam stack to prompt for both on the password prompt? Not sure. If there were a way to exclude certain daemons on the system from 2fa, that would work too.

We could potentially do something like provide a pam option which bypasses MFA, and then you can have a custom pam configuration for that particular daemon.