From 7e76396a891b4c704f1db8c71a217f869bef0ec3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 12 Jul 2024 13:46:00 +0200
Subject: [PATCH 8/8] pam_sss: add missing optional 2nd factor handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is a follow up to pull-request #7462 and adds the proper handling of
an optional second factor in case the prompting is configured.

Resolves: https://github.com/SSSD/sssd/issues/7456

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 077d2993a1b306e7cfe61618cbd5d03c602572f8)

Reviewed-by: Sumit Bose <sbose@redhat.com>
---
 src/sss_client/pam_sss.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index d43bd0f55..d1101e16c 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2505,8 +2505,13 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi)
             ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c]));
             break;
         case PC_TYPE_2FA:
-            ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
-                             pc_get_2fa_2nd_prompt(pi->pc[c]));
+            if (pi->password_prompting) {
+                ret = prompt_2fa(pamh, pi, true, pc_get_2fa_1st_prompt(pi->pc[c]),
+                                 pc_get_2fa_2nd_prompt(pi->pc[c]));
+            } else {
+                ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
+                                 pc_get_2fa_2nd_prompt(pi->pc[c]));
+            }
             break;
         case PC_TYPE_2FA_SINGLE:
             ret = prompt_2fa_single(pamh, pi,
-- 
2.45.2