Aaron Hicks via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> As a workaround for another issue we have with using two-factor > authentication, we're using pam_krb5 to change expired passwords, so in > /etc/pam.d/password-auth-ac whe have changed the password section to be: > ... > > This puts the user through a password reset process without the second > factor interfering, but at the end they get shell. This is without the > second factor. > > > > Is there a parameter this so that the connection is disconnected instead, or > the connection attempt is restarted? I'd try pam_deny. This should work for password section. Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org