pam_sss: password change with two factor authentication
If two factor authentication is enforced both authentication factors are
needed to update or change the long term password. This means that
during the PAM chauthok operation it has to be determined if two factor
authentication is enable for the user and the user must be prompted
accordingly.
Typically in the first step of the chauthok operation (PAM_PRELIM_CHECK)
the current password is verified before asking the user for a new
password. With two factor authentication this has to be skipped because
the one-time factor would then be invalid to authenticate the actual
password change.
Related to https://pagure.io/SSSD/sssd/issue/3585
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>