Is there an existing request for this feature?
Describe the feature
As an administrator of an internet-facing server, I am frustrated that authd's PAM module allows a user to authenticate using either the online OIDC flow (e.g., Entra ID) or their local password during an initial login session (like sshd).
This creates a significant security vulnerability. The entire purpose of using authd for a public server is to enforce strong, multi-factor authentication (MFA) via the cloud provider. By offering the local password as an alternative, authd allows this MFA to be completely bypassed by a single-factor (the local password).
The existing force_provider_authentication = true option does not solve this. That option only forces an online check after the local password flow is chosen; it does not prevent the user from choosing the local password flow in the first place.
I need a way to configure authd to be "smarter" — it should only offer the OIDC/online flow for initial logins, but still allow the local password to be used for in-session actions like sudo or unlocking the screensaver.
Describe the ideal solution
The ideal solution is for the authd PAM module to inform the authd-broker of which service (e.g., sshd, sudo, gdm-password) is requesting authentication.
This "service context" allows the broker to enforce different logic for different scenarios.
- New Configuration in broker.conf
A new configuration option should be added to the broker (e.g., authd-msentraid-broker's broker.conf),like this:
require_online_auth_for_services = sshd,gdm-password
- Pass PAM_SERVICE from authd to broker
This is the most critical part. The architecture must be modified so that the broker knows what service is calling.
authd : Must read the PAM_SERVICE environment variable (e.g., "sshd", "sudo", "gdm-password").
D-Bus API: authd must pass this serviceName string as a new argument in its D-Bus call to the broker when requesting authentication.
broker: The broker receives this serviceName. When deciding which auth methods to offer the user, it checks its new config,and decide to provide which kinds of auth method.
This solution allows administrators to enforce a true "zero-trust" login policy for public servers, while retaining the usability of local passwords for sudo and lock-screen operations.
Alternatives and current workarounds
There are no viable workarounds for this at the moment.
Is there an existing request for this feature?
Describe the feature
As an administrator of an internet-facing server, I am frustrated that authd's PAM module allows a user to authenticate using either the online OIDC flow (e.g., Entra ID) or their local password during an initial login session (like sshd).
This creates a significant security vulnerability. The entire purpose of using authd for a public server is to enforce strong, multi-factor authentication (MFA) via the cloud provider. By offering the local password as an alternative, authd allows this MFA to be completely bypassed by a single-factor (the local password).
The existing force_provider_authentication = true option does not solve this. That option only forces an online check after the local password flow is chosen; it does not prevent the user from choosing the local password flow in the first place.
I need a way to configure authd to be "smarter" — it should only offer the OIDC/online flow for initial logins, but still allow the local password to be used for in-session actions like sudo or unlocking the screensaver.
Describe the ideal solution
The ideal solution is for the authd PAM module to inform the authd-broker of which service (e.g., sshd, sudo, gdm-password) is requesting authentication.
This "service context" allows the broker to enforce different logic for different scenarios.
A new configuration option should be added to the broker (e.g., authd-msentraid-broker's broker.conf),like this:
require_online_auth_for_services = sshd,gdm-passwordThis is the most critical part. The architecture must be modified so that the broker knows what service is calling.
authd : Must read the PAM_SERVICE environment variable (e.g., "sshd", "sudo", "gdm-password").
D-Bus API: authd must pass this serviceName string as a new argument in its D-Bus call to the broker when requesting authentication.
broker: The broker receives this serviceName. When deciding which auth methods to offer the user, it checks its new config,and decide to provide which kinds of auth method.
This solution allows administrators to enforce a true "zero-trust" login policy for public servers, while retaining the usability of local passwords for sudo and lock-screen operations.
Alternatives and current workarounds
There are no viable workarounds for this at the moment.