Allow a grace period

[qlux]

Currently the module does not allow a grace period when a previous authentication was successful. This PR would allow an history of success and errors to be saved in the local sqlite db and returns success without checking the token if the previous success is within the grace period defined in the pam file.

[cornelinux]

@qlux: Thank your for your request and suggestion.
It does not do this, since imho this is not sensible to do.

Do you expect the module to not ask at all? What for? What is your use case?
This means, if I have an SSH server and I login as root from my computer with 2nd factor, an attacker can come and login from his computer within the grace period without presenting a 2nd factor?

Or do you want to module to accept the same OTP value?
Do you want this to work offline?

[qlux]

Hi @cornelinux,
Indeed the module would serve as a 2FA in a sense that a first authentication always has to be successful first. In sshd 2 authentications would have to be force through
AuthenticationMethods password,keyboard-interactive publickey,keyboard-interactive

Industry standard is to ask for a 2FA once every ~30days maybe, this modification would allow the secondary token through privacyidea to be asked only when a successful authentication hasn't been recorded in the grace period.
Next step would be to record the source IP of the client and store the success with the IP to force 2FA when the IP is different.
Let me know if that makes sense.

[qlux]

I'm adding the rhost value into the history and modified the python script for the Travis test