Allow disabling local password through broker.conf #1234

adombeck · 2026-02-02T14:10:27Z

Suggested change

## - Device authentication will be required for every login

## - Device authentication will be required for every authentication attempt,

## including logins and privileged operations (e.g. sudo, polkit actions)

adombeck · 2026-02-02T14:20:52Z

Note to self: We should probably point users to force_provider_authentication here, and maybe briefly discuss the use cases of force_provider_authentication and disable_local_password.

Yes, force_provider_authentication only comes into play when the user tries logging in through local password.

Maybe we can add an explanation mentioning about when force_provider_authentication makes sense.

adombeck · 2026-02-02T14:11:50Z

Suggested change

## Important: Enabling this option prevents offline login entirely.

## Important: Enabling this option prevents offline authentication entirely.

adombeck · 2026-02-02T12:54:29Z

Suggested change

// Only require password creation if local password authentication is not disabled

// Require password creation unless local password authentication is disabled

adombeck · 2026-02-02T14:19:07Z

Another consequence of not creating a local password is that the keyring can't be unlocked. #1190 also won't fix it in that case.

Okay. We can discuss about this. I will post here if I get an idea about this.

I made a proposal here: #1190 (comment)

adombeck · 2026-02-02T14:25:01Z

Note to self: Manually test:

ssh

sudo

pkexec

unlocking keyring

Ideally we should add e2e tests for those.

-Original file line number
+Diff line change
@@ Expand Up / @@ -537,6 +537,7 @@ func TestIsAuthenticated(t *testing.T) { @@
     		sessionOffline                     bool
     		username                           string
     		forceProviderAuthentication        bool
+    		disableLocalPassword               bool
     		userDoesNotBecomeOwner             bool
     		allUsersAllowed                    bool
     		extraGroups                        []string
@@ Expand Down Expand Up / @@ -700,6 +701,14 @@ func TestIsAuthenticated(t *testing.T) { @@
     			},
     			address: "127.0.0.1:31315",
     		},
+    		"Authenticating_with_device_auth_completes_without_newpassword_when_local_password_is_disabled": {
+    			firstSecret:          "-",
+    			disableLocalPassword: true,
+    		},
+    		"Authenticating_with_qrcode_completes_without_newpassword_when_local_password_is_disabled": {
+    			firstSecret:          "-",
+    			disableLocalPassword: true,
+    		},
     		"Error_when_authentication_data_is_invalid":         {invalidAuthData: true},
     		"Error_when_secret_can_not_be_decrypted":            {firstMode: authmodes.Password, badFirstKey: true},
@@ Expand Down Expand Up / @@ -776,6 +785,17 @@ func TestIsAuthenticated(t *testing.T) { @@
     			token:          &tokenOptions{deviceIsDisabled: true},
     			sessionOffline: true,
     		},
+    		"Error_when_mode_is_password_and_local_password_is_disabled": {
+    			firstMode:            authmodes.Password,
+    			disableLocalPassword: true,
+    			token:                &tokenOptions{},
+    		},
+    		"Error_when_session_is_for_changing_password_and_local_password_is_disabled": {
+    			sessionMode:          sessionmode.ChangePassword,
+    			firstMode:            authmodes.Password,
+    			disableLocalPassword: true,
+    			token:                &tokenOptions{},
+    		},
     		"Error_when_mode_is_invalid": {firstMode: "invalid"},
     	}
     	for name, tc := range tests {
@@ Expand Down Expand Up / @@ -805,6 +825,7 @@ func TestIsAuthenticated(t *testing.T) { @@
     				firstUserBecomesOwner:       !tc.userDoesNotBecomeOwner,
     				allUsersAllowed:             tc.allUsersAllowed,
     				forceProviderAuthentication: tc.forceProviderAuthentication,
+    				disableLocalPassword:        tc.disableLocalPassword,
     				extraGroups:                 tc.extraGroups,
     				ownerExtraGroups:            tc.ownerExtraGroups,
     				supportsDeviceRegistration:  tc.providerSupportsDeviceRegistration,
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -18,6 +18,8 @@ import ( @@
     const (
     	// forceProviderAuthenticationKey is the key in the config file for the option to force provider authentication during login.
     	forceProviderAuthenticationKey = "force_provider_authentication"
+    	// disableLocalPasswordKey is the key in the config file for the option to disable local password authentication.
+    	disableLocalPasswordKey = "disable_local_password"
     	// oidcSection is the section name in the config file for the OIDC specific configuration.
     	oidcSection = "oidc"
@@ Expand Down Expand Up / @@ -80,6 +82,7 @@ type userConfig struct { @@
     	issuerURL    string
     	forceProviderAuthentication bool
+    	disableLocalPassword        bool
     	registerDevice              bool
     	allowedUsers          map[string]struct{}
@@ Expand Down Expand Up @@
     				return userConfig{}, fmt.Errorf("error parsing '%s': %w", forceProviderAuthenticationKey, err)
     			}
     		}
+    		if oidc.HasKey(disableLocalPasswordKey) {
+    			cfg.disableLocalPassword, err = oidc.Key(disableLocalPasswordKey).Bool()
+    			if err != nil {
+    				return userConfig{}, fmt.Errorf("error parsing '%s': %w", disableLocalPasswordKey, err)
+    			}
+    		}
     	}
     	entraID := iniCfg.Section(entraIDSection)
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -28,17 +28,25 @@ issuer = https://issuer.url.com @@
     client_id = client_id
     force_provider_authentication = true
     extra_scopes = groups,offline_access, some_other_scope
+    disable_local_password = true
     [users]
     home_base_dir = /home
     allowed_ssh_suffixes = @issuer.url.com
     `,
-    	"invalid_boolean_value": `
+    	"invalid_force_provider_authentication_boolean_value": `
     [oidc]
     issuer = https://issuer.url.com
     client_id = client_id
     force_provider_authentication = invalid
+    `,
+    	"invalid_disable_local_password_boolean_value": `
+    [oidc]
+    issuer = https://issuer.url.com
+    client_id = client_id
+    disable_local_password = invalid
     `,
     	"singles": `
@@ Expand Down Expand Up / @@ -82,12 +90,13 @@ func TestParseConfig(t *testing.T) { @@
     		"Do_not_fail_if_values_contain_a_single_template_delimiter": {configType: "singles"},
-    		"Error_if_file_does_not_exist":             {configType: "inexistent", wantErr: true},
-    		"Error_if_file_is_unreadable":              {configType: "unreadable", wantErr: true},
-    		"Error_if_file_is_not_updated":             {configType: "template", wantErr: true},
-    		"Error_if_drop_in_directory_is_unreadable": {dropInType: "unreadable-dir", wantErr: true},
-    		"Error_if_drop_in_file_is_unreadable":      {dropInType: "unreadable-file", wantErr: true},
-    		"Error_if_config_contains_invalid_values":  {configType: "invalid_boolean_value", wantErr: true},
+    		"Error_if_file_does_not_exist":                                          {configType: "inexistent", wantErr: true},
+    		"Error_if_file_is_unreadable":                                           {configType: "unreadable", wantErr: true},
+    		"Error_if_file_is_not_updated":                                          {configType: "template", wantErr: true},
+    		"Error_if_drop_in_directory_is_unreadable":                              {dropInType: "unreadable-dir", wantErr: true},
+    		"Error_if_drop_in_file_is_unreadable":                                   {dropInType: "unreadable-file", wantErr: true},
+    		"Error_if_force_provider_authentication_contains_invalid_boolean_value": {configType: "invalid_force_provider_authentication_boolean_value", wantErr: true},
+    		"Error_if_disable_local_password_contains_invalid_boolean_value":        {configType: "invalid_disable_local_password_boolean_value", wantErr: true},
     	}
     	for name, tc := range tests {
     		t.Run(name, func(t *testing.T) {
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
     	cfg.forceProviderAuthentication = value
     }
+    func (cfg *Config) SetDisableLocalPassword(value bool) {
+    	cfg.disableLocalPassword = value
+    }
     func (cfg *Config) SetRegisterDevice(value bool) {
     	cfg.registerDevice = value
     }
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -26,6 +26,7 @@ type brokerForTestConfig struct { @@
     	broker.Config
     	issuerURL                   string
     	forceProviderAuthentication bool
+    	disableLocalPassword        bool
     	registerDevice              bool
     	allowedUsers                map[string]struct{}
     	allUsersAllowed             bool
@@ Expand Down Expand Up @@
     	if cfg.forceProviderAuthentication {
     		cfg.SetForceProviderAuthentication(cfg.forceProviderAuthentication)
     	}
+    	if cfg.disableLocalPassword {
+    		cfg.SetDisableLocalPassword(cfg.disableLocalPassword)
+    	}
     	if cfg.registerDevice {
     		cfg.SetRegisterDevice(cfg.registerDevice)
     	}
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow disabling local password through broker.conf #1234

Uh oh!

Diff view

Diff view

There are no files selected for viewing

adombeck Feb 2, 2026

Uh oh!

adombeck Feb 2, 2026

Uh oh!

shiv-tyagi Feb 2, 2026 •

edited

Loading

Uh oh!

adombeck Feb 2, 2026

Uh oh!

adombeck Feb 2, 2026

Uh oh!

adombeck Feb 2, 2026

Uh oh!

shiv-tyagi Feb 2, 2026 •

edited

Loading

Uh oh!

adombeck Feb 2, 2026

Uh oh!

adombeck Feb 2, 2026

Uh oh!

Uh oh!

-Original file line number
+Diff line change
@@ -0,0 +1,3 @@
+    access: granted
+    data: '{"userinfo":{"name":"[email protected]","uuid":"test-user-id","dir":"/home/[email protected]","shell":"/usr/bin/bash","gecos":"[email protected]","groups":[{"name":"remote-test-group","ugid":"12345"},{"name":"local-test-group","ugid":""}]}}'
+    err: <nil>

-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,7 @@ clientID=<CLIENT_ID @@
     clientSecret=
     issuerURL=https://ISSUER_URL>
     forceProviderAuthentication=false
+    disableLocalPassword=false
     registerDevice=false
     allowedUsers=map[]
     allUsersAllowed=false
@@ Expand Down @@

Allow disabling local password through broker.conf #1234

Are you sure you want to change the base?

Uh oh!

Allow disabling local password through broker.conf #1234

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

adombeck Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

adombeck Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

shiv-tyagi Feb 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

adombeck Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

adombeck Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

adombeck Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

shiv-tyagi Feb 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

adombeck Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

adombeck Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

shiv-tyagi Feb 2, 2026 •

edited

Loading

shiv-tyagi Feb 2, 2026 •

edited

Loading