6.1 Unlocking Linux on Cent OS 7 KDE

Following are the scenarios on Cent OS 7 with KDE environment, when you want to unlock Linux operating system:

Scenario 1: Multiple Chains

As a domain user, when you are locked on Cent OS 7 (KDE) and there are multiple chains, PAM selects the first chain based on the following criteria:

Table 6-1 Multiple Chains - Criteria and required action

Criteria	Action
Criterion 1: The chain consists of one of the following methods as the first method: Password LDAP Password TOTP HOTP	PAM selects the chain that meets the condition listed in criterion 1 and you must perform the following steps: Specify the password. Click Unlock. Specify valid data for other methods to pass the chain.
Criterion 2: There are two chains that contain one of the following methods as the first method: Password LDAP Password TOTP HOTP	PAM selects the top chain of the used list that meets the condition listed in criterion 2. You must perform the following steps: Specify the password. Click Unlock. Specify valid data for other methods to pass the chain. For example: Assume that there are two chains as follows: Chain 1: This chain consists of methods: TOTP, FIDO U2F and Voice OTP. Chain 2: This chain consists of methods: Password, Card and SMS OTP. PAM selects Chain 1 that is on top of the used list and meets the condition.
Criterion 3: The chain consists of any Advanced Authentication methods (except Password, LDAP, HOTP, and TOTP methods) as the first method.	PAM selects the top chain of the used list, you must follow the chain and specify valid data to pass the chain. For example: Assume that there are two chains as follows: Chain 1: This chain consists of methods: Card, Email OTP, and FIDO U2F. Chain 2: This chain consists methods: Fingerprint, PKI and SMS OTP. PAM selects Chain 1 that is on top of the used list, you must perform the following to pass authentication: Click Unlock without specifying the password. Tap valid card on the reader. Specify OTP received from email. Tap finger on the FIDO U2F device.

Criteria

Action

Criterion 1: The chain consists of one of the following methods as the first method:

Password
LDAP Password
TOTP
HOTP

PAM selects the chain that meets the condition listed in criterion 1 and you must perform the following steps:

Specify the password.
Click Unlock.
Specify valid data for other methods to pass the chain.

Criterion 2: There are two chains that contain one of the following methods as the first method:

Password
LDAP Password
TOTP
HOTP

PAM selects the top chain of the used list that meets the condition listed in criterion 2. You must perform the following steps:

Specify the password.
Click Unlock.
Specify valid data for other methods to pass the chain.

For example: Assume that there are two chains as follows:

Chain 1: This chain consists of methods: TOTP, FIDO U2F and Voice OTP.
Chain 2: This chain consists of methods: Password, Card and SMS OTP.

PAM selects Chain 1 that is on top of the used list and meets the condition.

Criterion 3: The chain consists of any Advanced Authentication methods (except Password, LDAP, HOTP, and TOTP methods) as the first method.

PAM selects the top chain of the used list, you must follow the chain and specify valid data to pass the chain.

For example: Assume that there are two chains as follows:

Chain 1: This chain consists of methods: Card, Email OTP, and FIDO U2F.
Chain 2: This chain consists methods: Fingerprint, PKI and SMS OTP.

PAM selects Chain 1 that is on top of the used list, you must perform the following to pass authentication:

Click Unlock without specifying the password.
Tap valid card on the reader.
Specify OTP received from email.
Tap finger on the FIDO U2F device.

NOTE:In the authentication chain, irrespective of the position of Email OTP, SMS OTP, or Voice OTP method, if you specify invalid OTP, the authentication cannot be continued or initiated again. You can perform one of the following to continue or initiate the authentication:

Specify a valid OTP.
Wait till the login session expires.

NOTE:If you select the authentication chain that contains Password, LDAP Password, TOTP, or HOTP as the second method (for example, Smartphone+Password, Card+TOTP, or U2F+HOTP), then ensure to specify the Password, LDAP Password, TOTP, or HOTP in Password. Later, accept authentication request on smartphone, swipe the card or touch the U2F token.

Scenario 2: First or Single Method in Chain

Below table describes the behavior of the chain that consists of each method, when the method is first or single in an authentication chain:

Table 6-2 Method behavior and required action

Method	Action
LDAP password	You must perform the following steps: Specify the LDAP password. Click Unlock.
Password	Specify the password. Click Unlock.
HOTP	Specify the HOTP. Click Unlock.
TOTP	Specify the TOTP. Click Unlock.
RADIUS	Specify the RADIUS password. Click Unlock.
SMS OTP	Click Unlock. Specify the SMS OTP.
Email OTP	Click Unlock. Specify the Email OTP.
Voice OTP	Click Unlock. Specify the Voice OTP.
Emergency password	Specify the Emergency password. Click Unlock.
Voice	Click Unlock to initiate phone call. Specify the PIN.
Security questions	With Security questions as a first or single method in the chain, you cannot unlock operating system.
Smartphone	Click Unlock to initiate an authentication request. Open the Advanced Authentication smartphone app and tap Accept. NOTE:When there is no mobile data on your smartphone, you cannot unlock operating system with smartphone OTP. If you tap Reject, login fails.
FIDO U2F	Click Unlock. Touch U2F device when you see a flash. NOTE:If you touch incorrect U2F device that is not enrolled, a new authentication session appears.
Card	Click Unlock. Tap card on the reader. NOTE:If you tap an invalid card, a new login session appears.
Bluetooth	With Bluetooth as a first or single method in the chain, you cannot unlock operating system.
PKI	With PKI as a first or single method in the chain, you cannot unlock operating system.