Am Fri, Jun 03, 2022 at 09:19:51AM +0200 schrieb Sigbjorn Lie via FreeIPA-users: > Hi list, > > When I have a 2FA enabled user account, I receive the two password prompt > for sudo at a host, even on hosts where 2FA is not required. This breaks > Ansible for me, when using "become" with Ansible. > > I am testing the [prompting/2fa] options in sssd to remediate this. I have > the following configuration: > > --- > [prompting/2fa/sudo] > first_prompt = 'Please enter your password and optional OTP token value: ' > single_prompt = True > --- > > This provides me with a single prompt, with the configured text when I run > sudo on this host. > > However the 2FA OTP code is no longer optional. If I do not enter both my > password and an OTP code, the authentication fails. So still this does not > fix Ansible for me. > > From var/log/secure: > --- > Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth): > authentication failure; logname=myusername uid=12345678 euid=0 > tty=/dev/pts/1 ruser= myusername rhost= user= myusername > Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth): > received for user myusername: 7 (Authentication failure) > Jun 3 09:15:18 myhost.mydomain.tld sudo[2289804]: myusername : 1 incorrect > password attempt ; TTY=pts/1 ; PWD=/home/myusername ; USER=root ; > COMMAND=list > --- > > > The only change performed is to add the above prompting configuration to > sssd.conf. If I remove the prompting configuration from sssd.conf, I can now > authentiate using only my password, even though with two prompts. > > In either way, I am unable to run Ansible anymore. > > Any suggestions on how to fix this?
Hi, I think this can be only "fixed" by an additional option for the prompting configuration. The reason is that on the Kerberos level 1fa password authentication and 2fa with the same password and a second factor are handled differently. So we must know in advance if we have a string with only the password or with the password and a second factor to use the right scheme. Try and error are imo not a good idea because there would be a fair chance to increase error counters which might lock the password. Currently there is no option to determine the order if the different prompts and a heuristic is used. If Smartcard authentication is possible, it is preferred. Otherwise 2fa if available is tried before password authentication. A configuration to tell SSSD to ask only for the password first (and only do 2fa if the password is empty) for sudo might help in your use case. An alternative would be to add an option for the 2fa part like e.g. 'single_prompt_only_has_password' but imo this looks odd in a 2fa part. So I think a new option for the order would be better and might offer other use-cases as well. bye, Sumit > > > Regards, > Siggi > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
