> On 8 Jul 2022, at 08:38, Sumit Bose <[email protected]> wrote: > > Am Fri, Jun 03, 2022 at 09:19:51AM +0200 schrieb Sigbjorn Lie via > FreeIPA-users: >> Hi list, >> >> When I have a 2FA enabled user account, I receive the two password prompt >> for sudo at a host, even on hosts where 2FA is not required. This breaks >> Ansible for me, when using "become" with Ansible. >> >> I am testing the [prompting/2fa] options in sssd to remediate this. I have >> the following configuration: >> >> --- >> [prompting/2fa/sudo] >> first_prompt = 'Please enter your password and optional OTP token value: ' >> single_prompt = True >> --- >> >> This provides me with a single prompt, with the configured text when I run >> sudo on this host. >> >> However the 2FA OTP code is no longer optional. If I do not enter both my >> password and an OTP code, the authentication fails. So still this does not >> fix Ansible for me. >> >> From var/log/secure: >> --- >> Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth): >> authentication failure; logname=myusername uid=12345678 euid=0 >> tty=/dev/pts/1 ruser= myusername rhost= user= myusername >> Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth): >> received for user myusername: 7 (Authentication failure) >> Jun 3 09:15:18 myhost.mydomain.tld sudo[2289804]: myusername : 1 incorrect >> password attempt ; TTY=pts/1 ; PWD=/home/myusername ; USER=root ; >> COMMAND=list >> --- >> >> >> The only change performed is to add the above prompting configuration to >> sssd.conf. If I remove the prompting configuration from sssd.conf, I can now >> authentiate using only my password, even though with two prompts. >> >> In either way, I am unable to run Ansible anymore. >> >> Any suggestions on how to fix this? > > Hi, > > I think this can be only "fixed" by an additional option for the > prompting configuration. The reason is that on the Kerberos level > 1fa password authentication and 2fa with the same password and a second > factor are handled differently. So we must know in advance if we have a > string with only the password or with the password and a second factor > to use the right scheme. Try and error are imo not a good idea because > there would be a fair chance to increase error counters which might lock > the password. > > Currently there is no option to determine the order if the different > prompts and a heuristic is used. If Smartcard authentication is > possible, it is preferred. Otherwise 2fa if available is tried before > password authentication. A configuration to tell SSSD to ask only for > the password first (and only do 2fa if the password is empty) for sudo > might help in your use case. An alternative would be to add an option > for the 2fa part like e.g. 'single_prompt_only_has_password' but imo > this looks odd in a 2fa part. So I think a new option for the order > would be better and might offer other use-cases as well. >
This is happening on machines where 2FA requirement is not configured. (OTP indicator *not* set on the host in IPA). Is it possible to have just the 1FA prompt when the host object in IPA is not configured to require OTP? _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
