I am pretty new to Thinlinc but trying to tinker a few things. I am needing to force users to be prompted for duo when logging into the Thinlinc master. Users will be prompted when attempting to access the server via ssh connections but not while logging in through Thinlinc. I have attempted to follow the documentation from google authenticator being added but it does not seem to work. Any help would be appreciated.
I believe @wilsj has been helping you with this via other channels, but if you do manage to solve the issue, it would be great if you could update this thread with your findings. It might help others with the same question in future, and would be much appreciated
We’ve been working with the native client: we’re only allowing ssh-keys as the first authentication factor and because I don’t know if we can apply the same restrictions (eg: -noclipboard as an xserver argument) to a web session.
Our sshd_config file restricts user logins to the vsmagent:
We were never able to resolve the issue. From what I recall, the changes must be made within the thinlinc file located within /etc/pam.d/thinlinc. Here there is a symlink between sshd and thinlinc config files. I would make changes here but it seemed to cause more harm than good.
You may find some useful info in the comments there. But to summarise, the ThinLinc client unfortunately doesn’t support chaining together multiple authentication methods as per your PAM configuration above.
I hope that answers your question, but let me know if you need further info.