|PAM_SSS(8)||SSSD Manual pages||PAM_SSS(8)|
pam_sss.so [quiet] [forward_pass] [use_first_pass] [use_authtok] [retry=N] [ignore_unknown_user] [ignore_authinfo_unavail] [domains=X] [allow_missing_name] [prompt_always] [try_cert_auth] [require_cert_auth]
Please note that this option might not work as expected if the application calling PAM handles the user dialog on its own. A typical example is sshd with PasswordAuthentication.
NOTE: Must be used in conjunction with the “pam_trusted_users” and “pam_public_domains” options. Please see the sssd.conf(5) manual page for more information on these two PAM responder options.
The current use case are login managers which can monitor a Smartcard reader for card events. In case a Smartcard is inserted the login manager will call a PAM stack which includes a line like
auth sufficient pam_sss.so allow_missing_name
In this case SSSD will try to determine the user name based on the content of the Smartcard, returns it to pam_sss which will finally put it on the PAM stack.
If no Smartcard is available or certificate based authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL is returned.
If no Smartcard is available after the timeout or certificate based authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL is returned.
If SSSD's PAM responder is not running, e.g. if the PAM responder socket is not available, pam_sss will return PAM_USER_UNKNOWN when called as account module to avoid issues with users from other sources during access control.
The message is read from the file pam_sss_pw_reset_message.LOC where LOC stands for a locale string returned by setlocale(3). If there is no matching file the content of pam_sss_pw_reset_message.txt is displayed. Root must be the owner of the files and only root may have read and write permissions while all other users must have only read permissions.
These files are searched in the directory /etc/sssd/customize/DOMAIN_NAME/. If no matching file is present a generic message is displayed.