6.2 Unlocking Linux on SUSE 11

Following are the scenarios on SUSE 11, to unlock Linux operating system:

Scenario 1: Multiple Chains

As a domain user, when you are locked on SUSE 11 and there are multiple authentication chains, PAM selects the first chain based on the following criteria:

Table 6-3 Criteria and required action

Criteria

Action

Criterion 1: The chain consists of a single method and the method is one of the following:

  • Password

  • LDAP Password

  • TOTP

  • HOTP

If PAM selects the chain with a single method as first chain, you must perform the following steps to unlock the account:

  1. Specify the password.

  2. Click Unlock.

Criterion 2: The chain consists of the following two methods (irrespective of the order of the methods):

  • Password, LDAP Password, TOTP or HOTP

  • Out-of-band (Smartphone or Voice Call)

If PAM selects the chain with two methods as first chain, you perform the following steps to unlock the account:

  1. Specify the password.

  2. Accept Out-of-band method (For example: Push message on the smartphone).

NOTE:When the smartphone does not have network connection, user cannot unlock the operating system with chain that consists of Smartphone method. Therefore, click Switch User and try to log in using preferred authentication chain.

Criterion 3: The chain consists of more than two methods that are any of the Advanced Authentication methods.

Click Switch User and try to log in again using the same authentication chain.

Criterion 4: The chain consists of following methods (except Password, LDAP, HOTP, TOTP, Smartphone, and Voice Call methods):

  • Card

  • Email OTP

  • FIDO U2F

  • Fingerprint

  • PKI

  • SMS OTP

  • Swiss Mobile ID

  • Voice OTP

Click Switch User and try to log in again using the same authentication chain.

If you specify any text in the password, a error message Unable to authenticate user is displayed.

Scenario 2: Single Chain

When a domain user is locked on SUSE 11 and there is a single chain, PAM selects this single chain for authentication.The chain can consist of one or more of the following methods:

Table 6-4 Criteria and required action

Criteria

Action

Criterion 1: The chain consists of a single method and the method is one of the following:

  • Password

  • LDAP Password

  • TOTP

  • HOTP

If the chain consists of a single method, user must perform the following:

  1. Specify the password.

  2. Click Unlock.

Criterion 2: The chain consists of the following two methods (irrespective of the order of the methods):

  • Password, LDAP Password, TOTP or HOTP.

  • Out-of-band (Smartphone or Voice Call).

With two methods in the chain, PAM prompts the user to perform the following:

  1. Specify the password.

  2. Accept Out-of-band method (For example: Push message on the smartphone).

NOTE:When the smartphone does not have network connection, user cannot unlock the operating system with chain that consists of Smartphone method. Therefore, user must click Switch User and try to log in using preferred authentication chain.

Criterion 3: The chain consists of more than two methods that are any of the Advanced Authentication methods.

The user must click Switch User and try to log in again using the same authentication chain.

Criterion 4: The chain consists of following methods (except Password, LDAP, HOTP, TOTP, Smartphone, and Voice Call methods):

  • Card

  • Email OTP

  • FIDO U2F

  • Fingerprint

  • PKI

  • SMS OTP

  • Swiss Mobile ID

  • Voice OTP

The user must click Switch User and try to log in again using the same authentication chain.

If user specifies any text in the password, a error message Unable to authenticate user is displayed.