> On 8 Jun 2022, at 10:26, Sam Morris via FreeIPA-users > <[email protected]> wrote: > > On 03/06/2022 08:19, Sigbjorn Lie via FreeIPA-users wrote: >> Hi list, >> When I have a 2FA enabled user account, I receive the two password prompt >> for sudo at a host, even on hosts where 2FA is not required. This breaks >> Ansible for me, when using "become" with Ansible. > > A way forward might be to use GSSAPIAuthentication to authenticate to the > remote server, GSSAPIDelegateCredentials to forward your Kerberos TGT to the > remote server, and (on the server side) configure pam_sss_gss in sudo's PAM > stack so that users with a valid Kerberos TGT do not get prompted for their > passwords at all. >
This is an option. Have you done this yourself and perhaps has an example of what such a PAM stack looks like? _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
