AW: Re: pam Module fails to authenticate against server?

You are mixing things up.
“Your OTP:” is a prompt you configure in the PAM module.
Kind regardsCornelius

Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797-------- Ursprüngliche Nachricht --------Von: Datum: 07.04.17 00:47 (GMT+01:00) An: privacyidea Betreff: [privacyidea] Re: pam Module fails to authenticate against server?
It would be great if the PAM Plugin could also handle U2F token authentications. In my case, there should be other tokens available aside from TOTP/HOTP like U2F, eMail, or SMS. Ive tried two from the list (TOTP, SMS) but it always prompt the first "Your OTP : ". It would be proper if there would be a handling if there are multiple tokens for the authenticating user. I think that would be the option corresponding to challenge-response under the policy authentication. Additionally, is it posible to auto-enroll a default token though settings/policy/event handlers, lets say an email token, if the user authenticates against the privacyidea server WebUI for the first time and has no tokens available. The reason for this is that if the user’s PW gets compromised and be used by the MITM to log into the privacyidea server using only credentials/userstore accnt+PW then creates another token or changes current tokens, then the whole 2FA Infrastructure or Security Flow of the Organization will also be not that effective. I suppose it would also really be beneficial if the privacyidea server itself has a 2FA mechanism for user authentication using the WebUI.

Or do you have an implementation for this?

Best regards,
Jojo Santos

On Thursday, April 6, 2017 at 6:11:45 PM UTC+2, Cornelius Kölbel wrote:you can not use the U2F token with privacyIDEA to do a ssh login.
If the user has several tokens, like HOTP or TOTP, the user simple uses one of his tokens, and privacyIDEA will realize, which one it was.
Am Mittwoch, 5. April 2017 15:04:28 UTC+2 schrieb for flooding, i got it working. I really forgot the PIN is also to be typed! Before i set the PIN as ‘test’ and thats the reason for the failed wrong OTP output in the logs. Now, i set no password and it works!

Another thing to be implemented is this scenario:

  • user-x has 2 tokens (totp and u2f)
  • the 2fa should be used when ssh-ing to a machine.
  • example: ssh
  • the PAM plugin should be able to select what token is to be used after the 1st authentication. so the flow would be username+password -> select token to be used (since user has 2 tokens) -> authenticate using selected token -> session.

Is this possible with the PAM plugin??

Thanks so much in advance!


Please read the blog post about getting help

For professional services and consultancy regarding two factor authentication please visit

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

You received this message because you are subscribed to a topic in the Google Groups “privacyidea” group.

To unsubscribe from this topic, visit

To unsubscribe from this group and all its topics, send an email to

To post to this group, send email to

Visit this group at

To view this discussion on the web visit

For more options, visit