Am Fri, Jul 08, 2022 at 09:28:34PM +0200 schrieb Sigbjorn Lie-Soland: > > > > On 8 Jul 2022, at 12:18, Sumit Bose <sb...@redhat.com> wrote: > > > > Am Fri, Jul 08, 2022 at 11:47:13AM +0200 schrieb Sigbjorn Lie-Soland: > >> > >> > >>> On 8 Jul 2022, at 08:38, Sumit Bose <sb...@redhat.com> wrote: > >>> > >>> Am Fri, Jun 03, 2022 at 09:19:51AM +0200 schrieb Sigbjorn Lie via > >>> FreeIPA-users: > >>>> Hi list, > >>>> > >>>> When I have a 2FA enabled user account, I receive the two password prompt > >>>> for sudo at a host, even on hosts where 2FA is not required. This breaks > >>>> Ansible for me, when using "become" with Ansible. > >>>> > >>>> I am testing the [prompting/2fa] options in sssd to remediate this. I > >>>> have > >>>> the following configuration: > >>>> > >>>> --- > >>>> [prompting/2fa/sudo] > >>>> first_prompt = 'Please enter your password and optional OTP token value: > >>>> ' > >>>> single_prompt = True > >>>> --- > >>>> > >>>> This provides me with a single prompt, with the configured text when I > >>>> run > >>>> sudo on this host. > >>>> > >>>> However the 2FA OTP code is no longer optional. If I do not enter both my > >>>> password and an OTP code, the authentication fails. So still this does > >>>> not > >>>> fix Ansible for me. > >>>> > >>>> From var/log/secure: > >>>> --- > >>>> Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth): > >>>> authentication failure; logname=myusername uid=12345678 euid=0 > >>>> tty=/dev/pts/1 ruser= myusername rhost= user= myusername > >>>> Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth): > >>>> received for user myusername: 7 (Authentication failure) > >>>> Jun 3 09:15:18 myhost.mydomain.tld sudo[2289804]: myusername : 1 > >>>> incorrect > >>>> password attempt ; TTY=pts/1 ; PWD=/home/myusername ; USER=root ; > >>>> COMMAND=list > >>>> --- > >>>> > >>>> > >>>> The only change performed is to add the above prompting configuration to > >>>> sssd.conf. If I remove the prompting configuration from sssd.conf, I can > >>>> now > >>>> authentiate using only my password, even though with two prompts. > >>>> > >>>> In either way, I am unable to run Ansible anymore. > >>>> > >>>> Any suggestions on how to fix this? > >>> > >>> Hi, > >>> > >>> I think this can be only "fixed" by an additional option for the > >>> prompting configuration. The reason is that on the Kerberos level > >>> 1fa password authentication and 2fa with the same password and a second > >>> factor are handled differently. So we must know in advance if we have a > >>> string with only the password or with the password and a second factor > >>> to use the right scheme. Try and error are imo not a good idea because > >>> there would be a fair chance to increase error counters which might lock > >>> the password. > >>> > >>> Currently there is no option to determine the order if the different > >>> prompts and a heuristic is used. If Smartcard authentication is > >>> possible, it is preferred. Otherwise 2fa if available is tried before > >>> password authentication. A configuration to tell SSSD to ask only for > >>> the password first (and only do 2fa if the password is empty) for sudo > >>> might help in your use case. An alternative would be to add an option > >>> for the 2fa part like e.g. 'single_prompt_only_has_password' but imo > >>> this looks odd in a 2fa part. So I think a new option for the order > >>> would be better and might offer other use-cases as well. > >>> > >> > >> > >> This is happening on machines where 2FA requirement is not configured. > >> (OTP indicator *not* set on the host in IPA). Is it possible to have > >> just the 1FA prompt when the host object in IPA is not configured to > >> require OTP? > > > > Hi, > > > > this would required code changes as well and I'm not even sure if SSSD > > currently has the permissions to read the authentication requirements of > > the host objects.. Additionally, even if the host does not require 2FA > > itself, the user might want to do 2FA e.g. because the next service he > > wants to access from this host requires 2FA. > > > > bye, > > Sumit > > > > > Hi, > > Having a 2FA prompt on all servers regardless of the server being configured > to require OTP is not very practical. Novice users do not understand if they > need to enter the OTP code for every server or not. > > I do understand the option of having the 2FA prompt if they need to use 2FA > for their next service, however I do see this being relevant for sudo. At > least having a sssd.conf option to exclude the OTP prompt and keep only the > password prompt for a certain PAM services, such as sudo, would be very > beneficial. > > What do you think?
Hi, please open a ticket at https://github.com/SSSD/sssd/issues/new to add an option to allow ordering the different prompts so that 1FA password authentcation can be preferred against 2FA. bye, Sumit > > > Regards, > Siggi > > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure