Last time I checked, it worked.
I would usually modify the
password-auth which is called in
auth substack password-auth.
privacyidea-auth. In this I would add after or replace the line
auth sufficient pam_unix.so try_first_pass
with a call to privacyIDEA.
THen you can replace the
auth substack with the
privacyidea-auth call and check for other services like “login”.
Check the log file of pam/auth.
Go small steps, one after the other.
If you are fed up, use RADIUS and pam_radius.