On 17Jan23 17:33+0000, Howard Chu wrote:
Sounds more like a question for your SSH server, and whether you can configure it to use PAM after a successful pubkey authentication.
Yes, PAM is enabled for sshd.
I do not have the full picture how slap-totp works. For me, there two open questions:
1. From openldap pov: How would I make the bind call to slapd, so that only the TOTP is checked? Would the following be sufficient to achieve 2FA only:
```ldif: userPassword: {TOTP512}$BASE64 # assuming the overlay is confgured properly ```
Would it be possible to use another attribute than `userPassword`?
2. PAM integration: This is not a question to this group here, but maybe there are some related ideas. How or which PAM module can be used?
The aim is to avoid copying the TOTP secret of users to the local systems (which are the public accessible hosts).
Many thanks, Cheers, -- Bastian Tweddell Juelich Supercomputing Centre phone: +49 (2461) 61-6586 HPC in Neuroscience, HPS