Bug 2087745

Summary: 2FA prompting setting ineffective
Product: Red Hat Enterprise Linux 8 Reporter: Alexey Tikhonov <atikhono>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: shridhar <sgadekar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6CC: grajaiya, jhrozek, lslebodn, mzidek, pbrezina, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.7.0-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:51:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey Tikhonov 2022-05-18 12:12:56 UTC 
This bug was initially created as a copy of Bug #1749279

I am copying this bug because: to track fix for RHEL8.



Description of problem:
When I configured 2FA prompting ([prompting/2fa]) in my sssd.conf, it did not have any effect until I also added blank [prompting/password].

sssd.conf:
[prompting/2fa]
single_prompt = True
first_prompt = Password + OTP:

Version-Release number of selected component (if applicable):
sssd-ipa-2.2.0-16.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IPA server and configure a user with OTP login enforced
2. Add prompting configuration to sssd.conf as mentioned above
3. Restart SSSD
4. ssh as the OTP user

Actual results:

$ ssh employee_otp.test
First Factor: 
Second Factor: 
Activate the web console with: systemctl enable --now cockpit.socket

[employee_otp@ipa /]$


Expected results:
$ ssh employee_otp.test
Password + OTP:


Additional info:
As mentioned, following sssd.conf setting can be used as a workaround:

[prompting/password]

[prompting/2fa]
single_prompt = True
first_prompt = Password + OTP token value
Comment 1 Alexey Tikhonov 2022-05-18 12:19:54 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6082

* `master`
    * 5c5a6b89e73094da92a33876896c7c0e87660294 - tests: allow to run single pam-srv-tests tests
    * 34829d3bc6ff90c916162ffcd1942285a16a735d - tests: add utilities for cmocka based unit tests
    * d8d25758a10dbc34815c5e7b012cd4ee3eb185dc - pam: fix section parsing issue
Comment 6 errata-xmlrpc 2022-11-08 10:51:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7739