3 files changed, 19 insertions, 2 deletions

diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
index f0a7a076c..34889e074 100644
--- a/src/sss_client/pam_message.h
+++ b/src/sss_client/pam_message.h
@@ -25,6 +25,7 @@
 
 #include <unistd.h>
 #include <stdint.h>
+#include <stdbool.h>
 
 #include "sss_client/sss_cli.h"
 
@@ -56,6 +57,7 @@ struct pam_items {
     char *otp_token_id;
     char *otp_challenge;
     char *first_factor;
+    bool password_prompting;
 
     char *cert_user;
     char *token_name;
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 1ba02ad0e..fdb9c9076 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1014,6 +1014,10 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
                 D(("cert user: [%s] token name: [%s]", pi->cert_user,
                                                        pi->token_name));
                 break;
+            case SSS_PASSWORD_PROMPTING:
+                D(("Password prompting available."));
+                pi->password_prompting = true;
+                break;
             default:
                 D(("Unknown response type [%d]", type));
         }
@@ -1102,6 +1106,7 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
     pi->otp_vendor = NULL;
     pi->otp_token_id = NULL;
     pi->otp_challenge = NULL;
+    pi->password_prompting = false;
 
     pi->cert_user = NULL;
     pi->token_name = NULL;
@@ -1571,8 +1576,13 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
         if (flags & FLAGS_USE_2FA
                 || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
                         && pi->otp_challenge != NULL)) {
-            ret = prompt_2fa(pamh, pi, _("First Factor: "),
-                             _("Second Factor: "));
+            if (pi->password_prompting) {
+                ret = prompt_2fa(pamh, pi, _("First Factor: "),
+                                 _("Second Factor (optional): "));
+            } else {
+                ret = prompt_2fa(pamh, pi, _("First Factor: "),
+                                 _("Second Factor: "));
+            }
         } else if (pi->cert_user != NULL) {
             ret = prompt_sc_pin(pamh, pi);
         } else {
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 17d8e4503..b6610bc6d 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -426,6 +426,11 @@ enum response_type {
     SSS_OTP,             /**< Indicates that the autotok was a OTP, so don't
                           * cache it. There is no message.
                           * @param None. */
+    SSS_PASSWORD_PROMPTING, /**< Indicates that password prompting is possible.
+                             * This might be used together with
+                             * SSS_PAM_OTP_INFO to determine the type of
+                             * prompting. There is no message.
+                             * @param None. */
 };
 
 /**