Bug 1402056
| Summary: | [RFE] Make 2FA prompting configurable | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sumit Bose <sbose> | ||||
| Component: | sssd | Assignee: | Sumit Bose <sbose> | ||||
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.3 | CC: | aaron.hicks, amessina, amitkuma, amore, ayadav, b.prins, bthakur, ddas, dpal, ekeck, frenaud, grajaiya, jered, jhrozek, kludhwan, ksiddiqu, ldelouw, lslebodn, mkosek, mvarun, mzidek, ndehadra, pasik, pbrezina, pgozart, sgoveas, spurrier, sssd-maint, wliang | ||||
| Target Milestone: | rc | Keywords: | FutureFeature, Reopened, TestCaseProvided | ||||
| Target Release: | --- | Flags: | ksiddiqu:
needinfo+
|
||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | sssd-1.16.4-11.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1695573 (view as bug list) | Environment: | |||||
| Last Closed: | 2019-08-06 13:02:00 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1695573 | ||||||
| Attachments: |
|
||||||
Upstream ticket: https://fedorahosted.org/sssd/ticket/3264 Development Management has reviewed and declined this request. You may appeal this decision by reopening this request. I'm sorry, I didn't mean to dev_nack the bug, reopening. Instead of two lines it would be nice to have a hint in one line: client:~# ssh server -l user user@server's password: and client:~# ssh server -l user user@server's password+otp: Having just one prompt is more Yubikey friendly as one just needs to provide the password and touch the Yubikey Additional use case: Mobile (Android etc.) clients (probably others) that have an own passwd prompt and submit the password in one string do not work with the current situation Thanks Upstream ticket: https://pagure.io/SSSD/sssd/issue/3458 (This how to test is a little hand-wavy because the solution will involve a new option and I don't know exactly how will it be named etc..) So currently the only service that can handle both prompts in a single line is sshd. The fix would be about making that configurable, so the admin would be able to configure another service (e.g. su, login, ...) and then log in using the first and second factor given on a single line. *** Bug 1466504 has been marked as a duplicate of this bug. *** *** Bug 1485441 has been marked as a duplicate of this bug. *** *** Bug 1485438 has been marked as a duplicate of this bug. *** Hello, Do we have any update for the customer? Thanks, kushal master: 45efba7 a4d1785 fc26b4a ac4b33f fa8ef7c (backport on review) * sssd-1-16: 558b543270d4bb56336c48040611fbc7c5552451 efefac9f41354e5e8d794ce5c6ceb7f0ebc3ed78 c91c6dd4ba87ace0b1566e93539a95b59ec385fa ca65bfdab55c614eb5c1195065d38e696594a80d d453f92e1c2312655b3359fc16f386b8d569c668 ceb4c8e219d01c29d0dfbfff13020ca58b4113d2 Verified
[root@cypher ~]# rpm -qa ipa-server sssd
ipa-server-4.6.5-8.el7.x86_64
sssd-1.16.4-13.el7.x86_64
[root@cypher ~]# cat /etc/sssd/sssd.conf
[domain/testrelm0513.test]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm0513.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = cypher.testrelm0513.test
chpass_provider = ipa
ipa_server = cypher.testrelm0513.test
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh
domains = testrelm0513.test
[nss]
memcache_timeout = 600
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
allowed_uids = ipaapi, root
[secrets]
[session_recording]
[prompting/2fa/sshd]
single_prompt = True
first_prompt = Please enter password + OTP token value:
[root@cypher ~]# ssh cypher.testrelm0513.test -l testuser1
Please enter password + OTP token value:
Last login: Thu May 16 10:09:42 2019 from cypher.testrelm0513.test
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
This System is reserved by mvarun.
To return this system early. You can run the command: return2beaker.sh
Ensure you have your logs off the system before returning to Beaker
To extend your reservation time. You can run the command:
extendtesttime.sh
This is an interactive script. You will be prompted for how many
hours you would like to extend the reservation.
You should verify the watchdog was updated succesfully after
you extend your reservation.
https://beaker.engineering.redhat.com/recipes/6866155
For ssh, kvm, serial and power control operations please look here:
https://beaker.engineering.redhat.com/view/cypher.testrelm0513.test
For the default root password, see:
https://beaker.engineering.redhat.com/prefs/
Beaker Test information:
HOSTNAME=cypher.testrelm0513.test
JOBID=3537008
RECIPEID=6866155
RESULT_SERVER=
DISTRO=RHEL-7.7-20190514.n.0
ARCHITECTURE=x86_64
Job Whiteboard: IPA :: RHEL 7.7 :: x86_64 :: Quickinstall (with replica/client) TESTRELM0513
Recipe Whiteboard: IPA MASTER
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
Could not chdir to home directory /home/testuser1: No such file or directory
-sh-4.2$
-sh-4.2$
Based on the above observation, marking the bug VERIFIED
(In reply to Varun Mylaraiah from comment #35) > [prompting/2fa/sshd] > single_prompt = True > first_prompt = Please enter password + OTP token value: Can sshd be replaced with any other PAM authentication? i.e. [prompting/2fa/openvpn] single_prompt = True first_prompt = "Blah" Thanks, Luc (In reply to Luc de Louw from comment #36) > (In reply to Varun Mylaraiah from comment #35) > > > [prompting/2fa/sshd] > > single_prompt = True > > first_prompt = Please enter password + OTP token value: > > Can sshd be replaced with any other PAM authentication? i.e. > > [prompting/2fa/openvpn] > single_prompt = True > first_prompt = "Blah" Yes, the optional third part of the section name can specify a PAM service name so that the settings are only valid for this specific service. See man sssd.conf for details. HTH bye, Sumit > > Thanks, > > Luc There seems to be no mention of the 'prompting' configuration option in the man pages. For sssd 1.16.4: https://jhrozek.fedorapeople.org/sssd/1.16.4/sssd.conf.5.html For for sssd 2.0.0: https://jhrozek.fedorapeople.org/sssd/2.0.0/man/sssd.conf.5.html If these are not the current or correct documents, can you please link to online versions of the documentation that describe the features discussed? A follow on question, are these features in sssd 2.0.0? (In reply to Aaron Hicks from comment #38) > There seems to be no mention of the 'prompting' configuration option in the > man pages. > > For sssd 1.16.4: > https://jhrozek.fedorapeople.org/sssd/1.16.4/sssd.conf.5.html > > For for sssd 2.0.0: > https://jhrozek.fedorapeople.org/sssd/2.0.0/man/sssd.conf.5.html > > If these are not the current or correct documents, can you please link to > online versions of the documentation that describe the features discussed? Sorry, this is only available in the latest upstream release 2.2.0 https://jhrozek.fedorapeople.org/sssd/2.2.0/man/sssd.conf.5.html. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2177 Created attachment 1617187 [details] test build Please find attached a test build for this feature. Please note that there is a know issues with the configuration of the feature https://bugzilla.redhat.com/show_bug.cgi?id=1749279. See the description of the other ticket for a workaround, bye, Sumit Test added upstream in freeipa workspace:
ipatests/test_integration/test_otp.py::TestOTPToken::test_2fa_enable_single_prompt
ipatests/test_integration/test_otp.py::TestOTPToken::test_2fa_disable_single_prompt
master:
8007cec ipatests: Added test when 2FA prompting configurations is set.
ipa-4-8:
dcdcbe3 ipatests: Added test when 2FA prompting configurations is set.
ipa-4-7:
85b595a Add test case for OTP login
40359d2 ipatests: Added test when 2FA prompting configurations is set.
ipa-4-6:
cabb7ab Add test case for OTP login
b36c4a7 ipatests: Added test when 2FA prompting configurations is set.
734121f Mark xfail for tests using sssd-1.16.3
|
Description of problem: Currently when 2-factor authentication is configured on the server side SSSD prompts for: First Factor: Second Factor: To be able to change the prompts to give the user a better hint what to enter in a given environment or to short-cut it to a single prompt where both factors are entered in a single string new config options should be added to sssd.conf.