[Freeipa-users] Re: SSSD prompting/2fa

Fri, 15 Jul 2022 03:38:12 -0700 

On 08/07/2022 07:57, Sigbjorn Lie-Soland wrote:




On 8 Jun 2022, at 10:26, Sam Morris via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:

On 03/06/2022 08:19, Sigbjorn Lie via FreeIPA-users wrote:

Hi list,
When I have a 2FA enabled user account, I receive the two password prompt for sudo at a 
host, even on hosts where 2FA is not required. This breaks Ansible for me, when using 
"become" with Ansible.


A way forward might be to use GSSAPIAuthentication to authenticate to the 
remote server, GSSAPIDelegateCredentials to forward your Kerberos TGT to the 
remote server, and (on the server side) configure pam_sss_gss in sudo's PAM 
stack so that users with a valid Kerberos TGT do not get prompted for their 
passwords at all.



This is an option. Have you done this yourself and perhaps has an example of 
what such a PAM stack looks like?


On the server side (assuming RHEL), you need:

[user@host ~]$ cat /etc/pam.d/sudo
#%PAM-1.0
auth      sufficient pam_sss_gss.so
auth       include system-auth
account    include system-auth
password   include system-auth
session    include system-auth

and

[user@host ~]$ sudo crudini --format=ini  --get /etc/sssd/sssd.conf pam
[pam]
pam_gssapi_services = sudo, sudo-i

On the client side:


$ ansible --ssh-common-args='-o GSSAPIDelegateCredentials=yes' -b -i 
host.example.com, all -m id



Note that there is a bug in RHEL 8.6 that prevents this from working: 
<https://bugzilla.redhat.com/show_bug.cgi?id=2088817> (I'm hoping for a 
bugfix advisory soon...) :)


Things to check if it doesn't work:

* Do you have a valid TGT on the client? (klist -s && echo OK)
* Does 'ssh -o GSSAPIAuthentication=yes host.example.com' work?

* Add 'debug' to the PAM module configuration and watch syslog & 
sssd_pam.log to see why the PAM module might not work


--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure






















					Reply via email to