Bug 1276868 - Sudo PAM Login should support multiple password prompts (e.g. Password + Token)
Summary: Sudo PAM Login should support multiple password prompts (e.g. Password + Token)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 23
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-31 17:39 UTC by david
Modified: 2016-03-30 21:19 UTC (History)
13 users (show)

Fixed In Version: sssd-1.13.3-6.fc23 sssd-1.13.3-6.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-30 20:52:48 UTC


Attachments (Terms of Use)

Description david 2015-10-31 17:39:47 UTC
Description of problem:
PAM can show multiple password prompts, e.g. for 2-Factor authorization. Sudo seems to be limited to one password prompt.

pam_sss in Fedora 22 will use the following prompt if 2FA in enabled for the user (using the FreeIPA Backend). 
First Factor: 
Second Factor: 

The second factor usually is provided by a OTP Token.

SUDO currently only uses the first prompt and stops after that.

$ sudo -s
First Factor: 
Sorry, try again
First Factor: 


Version-Release number of selected component (if applicable):
1.8.14p3

How reproducible:


Steps to Reproduce:
1. Use SSSD with FreeIPA as backend
2. use standard authconfig pam configuration for sssd
3. Enable OTP for a user in FreeIPA
4. try sudo for this user

Actual results:
$ sudo -s
First Factor: 
Sorry, try again
First Factor: 


Expected results:
$ sudo -s
First Factor: 
Second Factor: 


Additional info:

Upstream bugreport: http://bugzilla.sudo.ws/show_bug.cgi?id=726

Comment 1 Sumit Bose 2016-03-07 16:26:22 UTC
I think this is more a SSSD issue. According to the pam_start man page there are two different expectations about the arrangement of the data in the pam_message struct. SSSD so far only served the Linux-PAM style which sudo seems to expect the Solaris style.

Please find a SSSD test build for F22 at http://koji.fedoraproject.org/koji/taskinfo?taskID=13261503. It would be helpful if you can install the test build and check if now sudo prompts for the 2 factors as expected.

Comment 2 david 2016-03-08 13:43:37 UTC
It works with the test build. 

Thanks!

Comment 3 Sumit Bose 2016-03-08 16:58:08 UTC
Thank you for the feedback. I submitted the patch for additional review by the other developers.

Comment 4 Jakub Hrozek 2016-03-14 16:29:08 UTC
Fixed upstream:
    master: 957e0a8675359d90fa50067b704578d01f565bba
    sssd-1-13: 4a01e6a6fd66e622b80739472a0aa06d1c79a6a9

Comment 5 Fedora Update System 2016-03-22 09:48:52 UTC
sssd-1.13.3-6.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-319ed373cc

Comment 6 Fedora Update System 2016-03-22 09:49:26 UTC
sssd-1.13.3-6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-526233c4aa

Comment 7 Fedora Update System 2016-03-22 09:49:55 UTC
sssd-1.13.3-6.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dea583aee4

Comment 8 Fedora Update System 2016-03-22 16:54:48 UTC
sssd-1.13.3-6.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-319ed373cc

Comment 9 Fedora Update System 2016-03-22 21:25:36 UTC
sssd-1.13.3-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-dea583aee4

Comment 10 Fedora Update System 2016-03-22 21:31:05 UTC
sssd-1.13.3-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-526233c4aa

Comment 11 Fedora Update System 2016-03-26 17:54:47 UTC
sssd-1.13.3-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-03-30 20:52:37 UTC
sssd-1.13.3-6.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-03-30 21:19:06 UTC
sssd-1.13.3-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.