Following are the scenarios on Cent OS 7 with KDE environment, when you want to unlock Linux operating system:
As a domain user, when you are locked on Cent OS 7 (KDE) and there are multiple chains, PAM selects the first chain based on the following criteria:
Table 6-1 Multiple Chains - Criteria and required action
Criteria |
Action |
---|---|
Criterion 1: The chain consists of one of the following methods as the first method:
|
PAM selects the chain that meets the condition listed in criterion 1 and you must perform the following steps:
|
Criterion 2: There are two chains that contain one of the following methods as the first method:
|
PAM selects the top chain of the used list that meets the condition listed in criterion 2. You must perform the following steps:
For example: Assume that there are two chains as follows:
PAM selects Chain 1 that is on top of the used list and meets the condition. |
Criterion 3: The chain consists of any Advanced Authentication methods (except Password, LDAP, HOTP, and TOTP methods) as the first method. |
PAM selects the top chain of the used list, you must follow the chain and specify valid data to pass the chain. For example: Assume that there are two chains as follows:
PAM selects Chain 1 that is on top of the used list, you must perform the following to pass authentication:
|
NOTE:In the authentication chain, irrespective of the position of Email OTP, SMS OTP, or Voice OTP method, if you specify invalid OTP, the authentication cannot be continued or initiated again. You can perform one of the following to continue or initiate the authentication:
Specify a valid OTP.
Wait till the login session expires.
NOTE:If you select the authentication chain that contains Password, LDAP Password, TOTP, or HOTP as the second method (for example, Smartphone+Password, Card+TOTP, or U2F+HOTP), then ensure to specify the Password, LDAP Password, TOTP, or HOTP in Password. Later, accept authentication request on smartphone, swipe the card or touch the U2F token.
Below table describes the behavior of the chain that consists of each method, when the method is first or single in an authentication chain:
Table 6-2 Method behavior and required action
Method |
Action |
---|---|
LDAP password |
You must perform the following steps:
|
Password |
|
HOTP |
|
TOTP |
|
RADIUS |
|
SMS OTP |
|
Email OTP |
|
Voice OTP |
|
Emergency password |
|
Voice |
|
Security questions |
With Security questions as a first or single method in the chain, you cannot unlock operating system. |
Smartphone |
NOTE:When there is no mobile data on your smartphone, you cannot unlock operating system with smartphone OTP. If you tap Reject, login fails. |
FIDO U2F |
NOTE:If you touch incorrect U2F device that is not enrolled, a new authentication session appears. |
Card |
NOTE:If you tap an invalid card, a new login session appears. |
Bluetooth |
With Bluetooth as a first or single method in the chain, you cannot unlock operating system. |
PKI |
With PKI as a first or single method in the chain, you cannot unlock operating system. |