Bug 1276868 - Sudo PAM Login should support multiple password prompts (e.g. Password + Token)
Sudo PAM Login should support multiple password prompts (e.g. Password + Token)
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
23
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Jakub Hrozek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-31 13:39 EDT by david
Modified: 2016-03-30 17:19 EDT (History)
13 users (show)

See Also:
Fixed In Version: sssd-1.13.3-6.fc23 sssd-1.13.3-6.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-30 16:52:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description david 2015-10-31 13:39:47 EDT
Description of problem:
PAM can show multiple password prompts, e.g. for 2-Factor authorization. Sudo seems to be limited to one password prompt.

pam_sss in Fedora 22 will use the following prompt if 2FA in enabled for the user (using the FreeIPA Backend). 
First Factor: 
Second Factor: 

The second factor usually is provided by a OTP Token.

SUDO currently only uses the first prompt and stops after that.

$ sudo -s
First Factor: 
Sorry, try again
First Factor: 


Version-Release number of selected component (if applicable):
1.8.14p3

How reproducible:


Steps to Reproduce:
1. Use SSSD with FreeIPA as backend
2. use standard authconfig pam configuration for sssd
3. Enable OTP for a user in FreeIPA
4. try sudo for this user

Actual results:
$ sudo -s
First Factor: 
Sorry, try again
First Factor: 


Expected results:
$ sudo -s
First Factor: 
Second Factor: 


Additional info:

Upstream bugreport: http://bugzilla.sudo.ws/show_bug.cgi?id=726
Comment 1 Sumit Bose 2016-03-07 11:26:22 EST
I think this is more a SSSD issue. According to the pam_start man page there are two different expectations about the arrangement of the data in the pam_message struct. SSSD so far only served the Linux-PAM style which sudo seems to expect the Solaris style.

Please find a SSSD test build for F22 at http://koji.fedoraproject.org/koji/taskinfo?taskID=13261503. It would be helpful if you can install the test build and check if now sudo prompts for the 2 factors as expected.
Comment 2 david 2016-03-08 08:43:37 EST
It works with the test build. 

Thanks!
Comment 3 Sumit Bose 2016-03-08 11:58:08 EST
Thank you for the feedback. I submitted the patch for additional review by the other developers.
Comment 4 Jakub Hrozek 2016-03-14 12:29:08 EDT
Fixed upstream:
    master: 957e0a8675359d90fa50067b704578d01f565bba
    sssd-1-13: 4a01e6a6fd66e622b80739472a0aa06d1c79a6a9
Comment 5 Fedora Update System 2016-03-22 05:48:52 EDT
sssd-1.13.3-6.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-319ed373cc
Comment 6 Fedora Update System 2016-03-22 05:49:26 EDT
sssd-1.13.3-6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-526233c4aa
Comment 7 Fedora Update System 2016-03-22 05:49:55 EDT
sssd-1.13.3-6.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dea583aee4
Comment 8 Fedora Update System 2016-03-22 12:54:48 EDT
sssd-1.13.3-6.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-319ed373cc
Comment 9 Fedora Update System 2016-03-22 17:25:36 EDT
sssd-1.13.3-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-dea583aee4
Comment 10 Fedora Update System 2016-03-22 17:31:05 EDT
sssd-1.13.3-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-526233c4aa
Comment 11 Fedora Update System 2016-03-26 13:54:47 EDT
sssd-1.13.3-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2016-03-30 16:52:37 EDT
sssd-1.13.3-6.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2016-03-30 17:19:06 EDT
sssd-1.13.3-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.