Description of problem: PAM can show multiple password prompts, e.g. for 2-Factor authorization. Sudo seems to be limited to one password prompt. pam_sss in Fedora 22 will use the following prompt if 2FA in enabled for the user (using the FreeIPA Backend). First Factor: Second Factor: The second factor usually is provided by a OTP Token. SUDO currently only uses the first prompt and stops after that. $ sudo -s First Factor: Sorry, try again First Factor: Version-Release number of selected component (if applicable): 1.8.14p3 How reproducible: Steps to Reproduce: 1. Use SSSD with FreeIPA as backend 2. use standard authconfig pam configuration for sssd 3. Enable OTP for a user in FreeIPA 4. try sudo for this user Actual results: $ sudo -s First Factor: Sorry, try again First Factor: Expected results: $ sudo -s First Factor: Second Factor: Additional info: Upstream bugreport: http://bugzilla.sudo.ws/show_bug.cgi?id=726
I think this is more a SSSD issue. According to the pam_start man page there are two different expectations about the arrangement of the data in the pam_message struct. SSSD so far only served the Linux-PAM style which sudo seems to expect the Solaris style. Please find a SSSD test build for F22 at http://koji.fedoraproject.org/koji/taskinfo?taskID=13261503. It would be helpful if you can install the test build and check if now sudo prompts for the 2 factors as expected.
It works with the test build. Thanks!
Thank you for the feedback. I submitted the patch for additional review by the other developers.
Fixed upstream: master: 957e0a8675359d90fa50067b704578d01f565bba sssd-1-13: 4a01e6a6fd66e622b80739472a0aa06d1c79a6a9
sssd-1.13.3-6.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-319ed373cc
sssd-1.13.3-6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-526233c4aa
sssd-1.13.3-6.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dea583aee4
sssd-1.13.3-6.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-319ed373cc
sssd-1.13.3-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-dea583aee4
sssd-1.13.3-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-526233c4aa
sssd-1.13.3-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.13.3-6.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.13.3-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.