Hi list,
When I have a 2FA enabled user account, I receive the two password
prompt for sudo at a host, even on hosts where 2FA is not required. This
breaks Ansible for me, when using "become" with Ansible.
I am testing the [prompting/2fa] options in sssd to remediate this. I
have the following configuration:
---
[prompting/2fa/sudo]
first_prompt = 'Please enter your password and optional OTP token value:
'
single_prompt = True
---
This provides me with a single prompt, with the configured text when I
run sudo on this host.
However the 2FA OTP code is no longer optional. If I do not enter both
my password and an OTP code, the authentication fails. So still this
does not fix Ansible for me.
From var/log/secure:
---
Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth):
authentication failure; logname=myusername uid=12345678 euid=0
tty=/dev/pts/1 ruser= myusername rhost= user= myusername
Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth):
received for user myusername: 7 (Authentication failure)
Jun 3 09:15:18 myhost.mydomain.tld sudo[2289804]: myusername : 1
incorrect password attempt ; TTY=pts/1 ; PWD=/home/myusername ;
USER=root ; COMMAND=list
---
The only change performed is to add the above prompting configuration to
sssd.conf. If I remove the prompting configuration from sssd.conf, I can
now authentiate using only my password, even though with two prompts.
In either way, I am unable to run Ansible anymore.
Any suggestions on how to fix this?
Regards,
Siggi
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
