How to add PrivacyIDEA 2nd factor to sss-based RL8/9 (ssh login)

Hi all,
I need to add the 2nd factor check after the 1st factor login returns OK. I installed and from debug logs I can see that it calls the module The problem is that this modules runs without prompting for the OTP, sending the username and I dunno what else to the privacyIDEA URL.

In the audit section of privacyIDEA GUI, I can see the POST action with /validate /check resulting in a failure with “wrong otp pin” status (of course, since does not ask for the otp).

I tried with python2.7 and python3.6. The result is the same.

Any hint?

Some “masqueraded” config files and debug log follows

~]# cat /etc/pam.d/sshd
auth       substack     password-auth debug
auth       optional /usr/lib/python2.7/site-packages/privacyidea_pam-2.11.dev0-py2.7.egg/ cacerts=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem url=https://myPI debug=true realm=myRealm prompt="Insert OTP :"
 sshd[16284]: debug3: PAM: sshpam_passwd_conv called with 1 messages
 sshd[16284]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X user=enrico
 sshd[16284]: debug3: PAM: sshpam_passwd_conv called with 1 messages
 sshd[16284]: offline check returned: False, None
 sshd[16284]: Authenticating enrico against https://myPI
 sshd[16284]: requests > 1.0
 sshd[16284]: privacyidea_pam: result: {u'status': True, u'authentication': u'REJECT', u'value': False}
 sshd[16284]: privacyidea_pam: detail: {u'message': u'wrong otp pin', u'threadid': 140481569601280}
 sshd[16284]: debug1: PAM: password authentication accepted for enrico


ChallengeResponseAuthentication in the /etc/ssh/sshd_conf was disabling the 2f request


ChallengeResponseAuthentication yes