1 files changed, 13 insertions, 2 deletions

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 5b2307c1b..cb2273c08 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -992,6 +992,10 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
                 D(("cert user: [%s] token name: [%s]", pi->cert_user,
                                                        pi->token_name));
                 break;
+            case SSS_PASSWORD_PROMPTING:
+                D(("Password prompting available."));
+                pi->password_prompting = true;
+                break;
             default:
                 D(("Unknown response type [%d]", type));
         }
@@ -1071,6 +1075,7 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi)
     pi->otp_vendor = NULL;
     pi->otp_token_id = NULL;
     pi->otp_challenge = NULL;
+    pi->password_prompting = false;
 
     pi->cert_user = NULL;
     pi->token_name = NULL;
@@ -1538,8 +1543,14 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
         if (flags & FLAGS_USE_2FA
                 || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
                         && pi->otp_challenge != NULL)) {
-            ret = prompt_2fa(pamh, pi, _("First Factor: "),
-                             _("Second Factor: "));
+            if (pi->password_prompting) {
+                ret = prompt_2fa(pamh, pi, _("First Factor or Password: "),
+                                 _("Second Factor, press return for "
+                                   "Password authentication: "));
+            } else {
+                ret = prompt_2fa(pamh, pi, _("First Factor: "),
+                                 _("Second Factor: "));
+            }
         } else if (pi->cert_user != NULL) {
             ret = prompt_sc_pin(pamh, pi);
         } else {