Bug 1402056
Summary: | [RFE] Make 2FA prompting configurable | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sumit Bose <sbose> | ||||
Component: | sssd | Assignee: | Sumit Bose <sbose> | ||||
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.3 | CC: | aaron.hicks, amessina, amitkuma, amore, ayadav, b.prins, bthakur, ddas, dpal, ekeck, frenaud, grajaiya, jered, jhrozek, kludhwan, ksiddiqu, ldelouw, lslebodn, mkosek, mvarun, mzidek, ndehadra, pasik, pbrezina, pgozart, sgoveas, spurrier, sssd-maint, wliang | ||||
Target Milestone: | rc | Keywords: | FutureFeature, Reopened, TestCaseProvided | ||||
Target Release: | --- | Flags: | ksiddiqu:
needinfo+
|
||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | sssd-1.16.4-11.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1695573 (view as bug list) | Environment: | |||||
Last Closed: | 2019-08-06 13:02:00 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1695573 | ||||||
Attachments: |
|
Description
Sumit Bose
2016-12-06 16:45:49 UTC
Upstream ticket: https://fedorahosted.org/sssd/ticket/3264 Development Management has reviewed and declined this request. You may appeal this decision by reopening this request. I'm sorry, I didn't mean to dev_nack the bug, reopening. Instead of two lines it would be nice to have a hint in one line: client:~# ssh server -l user user@server's password: and client:~# ssh server -l user user@server's password+otp: Having just one prompt is more Yubikey friendly as one just needs to provide the password and touch the Yubikey Additional use case: Mobile (Android etc.) clients (probably others) that have an own passwd prompt and submit the password in one string do not work with the current situation Thanks Upstream ticket: https://pagure.io/SSSD/sssd/issue/3458 (This how to test is a little hand-wavy because the solution will involve a new option and I don't know exactly how will it be named etc..) So currently the only service that can handle both prompts in a single line is sshd. The fix would be about making that configurable, so the admin would be able to configure another service (e.g. su, login, ...) and then log in using the first and second factor given on a single line. *** Bug 1466504 has been marked as a duplicate of this bug. *** *** Bug 1485441 has been marked as a duplicate of this bug. *** *** Bug 1485438 has been marked as a duplicate of this bug. *** Hello, Do we have any update for the customer? Thanks, kushal master: 45efba7 a4d1785 fc26b4a ac4b33f fa8ef7c (backport on review) * sssd-1-16: 558b543270d4bb56336c48040611fbc7c5552451 efefac9f41354e5e8d794ce5c6ceb7f0ebc3ed78 c91c6dd4ba87ace0b1566e93539a95b59ec385fa ca65bfdab55c614eb5c1195065d38e696594a80d d453f92e1c2312655b3359fc16f386b8d569c668 ceb4c8e219d01c29d0dfbfff13020ca58b4113d2 Verified [root@cypher ~]# rpm -qa ipa-server sssd ipa-server-4.6.5-8.el7.x86_64 sssd-1.16.4-13.el7.x86_64 [root@cypher ~]# cat /etc/sssd/sssd.conf [domain/testrelm0513.test] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = testrelm0513.test id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = cypher.testrelm0513.test chpass_provider = ipa ipa_server = cypher.testrelm0513.test ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = sudo, nss, ifp, pam, ssh domains = testrelm0513.test [nss] memcache_timeout = 600 homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] allowed_uids = ipaapi, root [secrets] [session_recording] [prompting/2fa/sshd] single_prompt = True first_prompt = Please enter password + OTP token value: [root@cypher ~]# ssh cypher.testrelm0513.test -l testuser1 Please enter password + OTP token value: Last login: Thu May 16 10:09:42 2019 from cypher.testrelm0513.test ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** This System is reserved by mvarun. To return this system early. You can run the command: return2beaker.sh Ensure you have your logs off the system before returning to Beaker To extend your reservation time. You can run the command: extendtesttime.sh This is an interactive script. You will be prompted for how many hours you would like to extend the reservation. You should verify the watchdog was updated succesfully after you extend your reservation. https://beaker.engineering.redhat.com/recipes/6866155 For ssh, kvm, serial and power control operations please look here: https://beaker.engineering.redhat.com/view/cypher.testrelm0513.test For the default root password, see: https://beaker.engineering.redhat.com/prefs/ Beaker Test information: HOSTNAME=cypher.testrelm0513.test JOBID=3537008 RECIPEID=6866155 RESULT_SERVER= DISTRO=RHEL-7.7-20190514.n.0 ARCHITECTURE=x86_64 Job Whiteboard: IPA :: RHEL 7.7 :: x86_64 :: Quickinstall (with replica/client) TESTRELM0513 Recipe Whiteboard: IPA MASTER ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** Could not chdir to home directory /home/testuser1: No such file or directory -sh-4.2$ -sh-4.2$ Based on the above observation, marking the bug VERIFIED (In reply to Varun Mylaraiah from comment #35) > [prompting/2fa/sshd] > single_prompt = True > first_prompt = Please enter password + OTP token value: Can sshd be replaced with any other PAM authentication? i.e. [prompting/2fa/openvpn] single_prompt = True first_prompt = "Blah" Thanks, Luc (In reply to Luc de Louw from comment #36) > (In reply to Varun Mylaraiah from comment #35) > > > [prompting/2fa/sshd] > > single_prompt = True > > first_prompt = Please enter password + OTP token value: > > Can sshd be replaced with any other PAM authentication? i.e. > > [prompting/2fa/openvpn] > single_prompt = True > first_prompt = "Blah" Yes, the optional third part of the section name can specify a PAM service name so that the settings are only valid for this specific service. See man sssd.conf for details. HTH bye, Sumit > > Thanks, > > Luc There seems to be no mention of the 'prompting' configuration option in the man pages. For sssd 1.16.4: https://jhrozek.fedorapeople.org/sssd/1.16.4/sssd.conf.5.html For for sssd 2.0.0: https://jhrozek.fedorapeople.org/sssd/2.0.0/man/sssd.conf.5.html If these are not the current or correct documents, can you please link to online versions of the documentation that describe the features discussed? A follow on question, are these features in sssd 2.0.0? (In reply to Aaron Hicks from comment #38) > There seems to be no mention of the 'prompting' configuration option in the > man pages. > > For sssd 1.16.4: > https://jhrozek.fedorapeople.org/sssd/1.16.4/sssd.conf.5.html > > For for sssd 2.0.0: > https://jhrozek.fedorapeople.org/sssd/2.0.0/man/sssd.conf.5.html > > If these are not the current or correct documents, can you please link to > online versions of the documentation that describe the features discussed? Sorry, this is only available in the latest upstream release 2.2.0 https://jhrozek.fedorapeople.org/sssd/2.2.0/man/sssd.conf.5.html. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2177 Created attachment 1617187 [details] test build Please find attached a test build for this feature. Please note that there is a know issues with the configuration of the feature https://bugzilla.redhat.com/show_bug.cgi?id=1749279. See the description of the other ticket for a workaround, bye, Sumit Test added upstream in freeipa workspace: ipatests/test_integration/test_otp.py::TestOTPToken::test_2fa_enable_single_prompt ipatests/test_integration/test_otp.py::TestOTPToken::test_2fa_disable_single_prompt master: 8007cec ipatests: Added test when 2FA prompting configurations is set. ipa-4-8: dcdcbe3 ipatests: Added test when 2FA prompting configurations is set. ipa-4-7: 85b595a Add test case for OTP login 40359d2 ipatests: Added test when 2FA prompting configurations is set. ipa-4-6: cabb7ab Add test case for OTP login b36c4a7 ipatests: Added test when 2FA prompting configurations is set. 734121f Mark xfail for tests using sssd-1.16.3 |