Bug 1276868

Summary:	Sudo PAM Login should support multiple password prompts (e.g. Password + Token)
Product:	[Fedora] Fedora	Reporter:	david
Component:	sssd	Assignee:	Jakub Hrozek <jhrozek>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	23	CC:	abokovoy, dkopecek, james.beal, jhrozek, kzak, lslebodn, martin, pbrezina, preichl, rharwood, rsroka, sbose, ssorce
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	sssd-1.13.3-6.fc23 sssd-1.13.3-6.fc22	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-03-30 20:52:48 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description david 2015-10-31 17:39:47 UTC

Description of problem:
PAM can show multiple password prompts, e.g. for 2-Factor authorization. Sudo seems to be limited to one password prompt.

pam_sss in Fedora 22 will use the following prompt if 2FA in enabled for the user (using the FreeIPA Backend). 
First Factor: 
Second Factor: 

The second factor usually is provided by a OTP Token.

SUDO currently only uses the first prompt and stops after that.

$ sudo -s
First Factor: 
Sorry, try again
First Factor: 


Version-Release number of selected component (if applicable):
1.8.14p3

How reproducible:


Steps to Reproduce:
1. Use SSSD with FreeIPA as backend
2. use standard authconfig pam configuration for sssd
3. Enable OTP for a user in FreeIPA
4. try sudo for this user

Actual results:
$ sudo -s
First Factor: 
Sorry, try again
First Factor: 


Expected results:
$ sudo -s
First Factor: 
Second Factor: 


Additional info:

Upstream bugreport: http://bugzilla.sudo.ws/show_bug.cgi?id=726

Comment 1 Sumit Bose 2016-03-07 16:26:22 UTC

I think this is more a SSSD issue. According to the pam_start man page there are two different expectations about the arrangement of the data in the pam_message struct. SSSD so far only served the Linux-PAM style which sudo seems to expect the Solaris style.

Please find a SSSD test build for F22 at http://koji.fedoraproject.org/koji/taskinfo?taskID=13261503. It would be helpful if you can install the test build and check if now sudo prompts for the 2 factors as expected.

Comment 2 david 2016-03-08 13:43:37 UTC

It works with the test build. 

Thanks!

Comment 3 Sumit Bose 2016-03-08 16:58:08 UTC

Thank you for the feedback. I submitted the patch for additional review by the other developers.

Comment 4 Jakub Hrozek 2016-03-14 16:29:08 UTC

Fixed upstream:
    master: 957e0a8675359d90fa50067b704578d01f565bba
    sssd-1-13: 4a01e6a6fd66e622b80739472a0aa06d1c79a6a9

Comment 5 Fedora Update System 2016-03-22 09:48:52 UTC

sssd-1.13.3-6.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-319ed373cc

Comment 6 Fedora Update System 2016-03-22 09:49:26 UTC

sssd-1.13.3-6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-526233c4aa

Comment 7 Fedora Update System 2016-03-22 09:49:55 UTC

sssd-1.13.3-6.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dea583aee4

Comment 8 Fedora Update System 2016-03-22 16:54:48 UTC

sssd-1.13.3-6.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-319ed373cc

Comment 9 Fedora Update System 2016-03-22 21:25:36 UTC

sssd-1.13.3-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-dea583aee4

Comment 10 Fedora Update System 2016-03-22 21:31:05 UTC

sssd-1.13.3-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-526233c4aa

Comment 11 Fedora Update System 2016-03-26 17:54:47 UTC

sssd-1.13.3-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-03-30 20:52:37 UTC

sssd-1.13.3-6.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-03-30 21:19:06 UTC

sssd-1.13.3-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.