Bug 1749279

Summary: 2FA prompting setting ineffective
Product: Red Hat Enterprise Linux 9 Reporter: Martin Kosek <mkosek>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: shridhar <sgadekar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: aboscatt, amore, atikhono, bloch, grajaiya, jhrozek, lslebodn, mpanaous, mzidek, pasik, pbrezina, pkettman, ppolawsk, sbose, sgadekar, spurrier, thalman, tscherf, wdh, zconnor
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.7.0-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 11:17:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SSSD log none

Description Martin Kosek 2019-09-05 09:57:10 UTC 
Description of problem:
When I configured 2FA prompting ([prompting/2fa]) in my sssd.conf, it did not have any effect until I also added blank [prompting/password].

sssd.conf:
[prompting/2fa]
single_prompt = True
first_prompt = Password + OTP:

Version-Release number of selected component (if applicable):
sssd-ipa-2.2.0-16.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IPA server and configure a user with OTP login enforced
2. Add prompting configuration to sssd.conf as mentioned above
3. Restart SSSD
4. ssh as the OTP user

Actual results:

$ ssh employee_otp.test
First Factor: 
Second Factor: 
Activate the web console with: systemctl enable --now cockpit.socket

[employee_otp@ipa /]$


Expected results:
$ ssh employee_otp.test
Password + OTP:


Additional info:
As mentioned, following sssd.conf setting can be used as a workaround:

[prompting/password]

[prompting/2fa]
single_prompt = True
first_prompt = Password + OTP token value
Comment 1 Martin Kosek 2019-09-05 09:57:47 UTC 
Created attachment 1611870 [details]
SSSD log
Comment 7 W. de Heiden 2021-12-23 09:47:40 UTC 
confirmed voor CentOS Stream9 as well.

Any progress on this issue?
Comment 8 Alexey Tikhonov 2022-03-30 14:38:15 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6082
Comment 10 Alexey Tikhonov 2022-04-06 10:13:13 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6082

* `master`
    * 5c5a6b89e73094da92a33876896c7c0e87660294 - tests: allow to run single pam-srv-tests tests
    * 34829d3bc6ff90c916162ffcd1942285a16a735d - tests: add utilities for cmocka based unit tests
    * d8d25758a10dbc34815c5e7b012cd4ee3eb185dc - pam: fix section parsing issue
Comment 20 errata-xmlrpc 2022-11-15 11:17:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8325