Bug 1402056 - [RFE] Make 2FA prompting configurable
Summary: [RFE] Make 2FA prompting configurable
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: ipa-qe
URL:
Whiteboard:
: 1466504 1485438 1485441 (view as bug list)
Depends On:
Blocks: 1695573
TreeView+ depends on / blocked
 
Reported: 2016-12-06 16:45 UTC by Sumit Bose
Modified: 2020-05-02 18:34 UTC (History)
28 users (show)

Fixed In Version: sssd-1.16.4-11.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1695573 (view as bug list)
Environment:
Last Closed: 2019-08-06 13:02:00 UTC
Target Upstream Version:
ksiddiqu: needinfo+


Attachments (Terms of Use)
test build (9.42 MB, application/gzip)
2019-09-20 11:54 UTC, Sumit Bose
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4297 0 None closed [RFE] Make 2FA prompting configurable 2021-01-27 09:57:52 UTC
Red Hat Knowledge Base (Solution) 2851831 0 None None None 2017-09-28 21:19:48 UTC
Red Hat Product Errata RHSA-2019:2177 0 None None None 2019-08-06 13:02:43 UTC

Description Sumit Bose 2016-12-06 16:45:49 UTC
Description of problem:
Currently when 2-factor authentication is configured on the server side SSSD prompts for:

    First Factor: 
    Second Factor: 

To be able to change the prompts to give the user a better hint what to enter in a given environment or to short-cut it to a single prompt where both factors are entered in a single string new config options should be added to sssd.conf.

Comment 1 Jakub Hrozek 2016-12-08 16:14:46 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3264

Comment 4 RHEL Program Management 2016-12-15 15:32:47 UTC
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Comment 5 Jakub Hrozek 2016-12-15 15:36:42 UTC
I'm sorry, I didn't mean to dev_nack the bug, reopening.

Comment 6 Luc de Louw 2016-12-19 08:44:27 UTC
Instead of two lines it would be nice to have a hint in one line: 

client:~# ssh server -l user
user@server's password: 

and 

client:~# ssh server -l user
user@server's password+otp:

Having just one prompt is more Yubikey friendly as one just needs to provide the password and touch the Yubikey

Additional use case: Mobile (Android etc.) clients (probably others) that have an own passwd prompt and submit the password in one string do not work with the current situation

Thanks

Comment 9 Jakub Hrozek 2017-08-10 09:58:28 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3458

Comment 10 Jakub Hrozek 2017-08-10 18:07:31 UTC
(This how to test is a little hand-wavy because the solution will involve a new option and I don't know exactly how will it be named etc..)

So currently the only service that can handle both prompts in a single line is sshd. The fix would be about making that configurable, so the admin would be able to configure another service (e.g. su, login, ...) and then log in using the first and second factor given on a single line.

Comment 11 Jakub Hrozek 2017-08-21 13:56:57 UTC
*** Bug 1466504 has been marked as a duplicate of this bug. ***

Comment 13 Sumit Bose 2017-08-30 09:25:38 UTC
*** Bug 1485441 has been marked as a duplicate of this bug. ***

Comment 14 Sumit Bose 2017-08-30 16:12:58 UTC
*** Bug 1485438 has been marked as a duplicate of this bug. ***

Comment 22 kludhwan 2018-11-16 16:50:00 UTC
Hello,

Do we have any update for the customer?

Thanks,
kushal

Comment 28 Jakub Hrozek 2019-04-01 21:14:19 UTC
master:
45efba7
a4d1785
fc26b4a
ac4b33f
fa8ef7c

(backport on review)

Comment 29 Jakub Hrozek 2019-04-03 21:33:10 UTC
* sssd-1-16:
558b543270d4bb56336c48040611fbc7c5552451
efefac9f41354e5e8d794ce5c6ceb7f0ebc3ed78
c91c6dd4ba87ace0b1566e93539a95b59ec385fa
ca65bfdab55c614eb5c1195065d38e696594a80d
d453f92e1c2312655b3359fc16f386b8d569c668
ceb4c8e219d01c29d0dfbfff13020ca58b4113d2

Comment 35 Varun Mylaraiah 2019-05-17 03:47:04 UTC
Verified 
[root@cypher ~]# rpm -qa ipa-server sssd
ipa-server-4.6.5-8.el7.x86_64
sssd-1.16.4-13.el7.x86_64

[root@cypher ~]# cat /etc/sssd/sssd.conf
[domain/testrelm0513.test]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm0513.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = cypher.testrelm0513.test
chpass_provider = ipa
ipa_server = cypher.testrelm0513.test
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh

domains = testrelm0513.test
[nss]
memcache_timeout = 600
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]
allowed_uids = ipaapi, root

[secrets]

[session_recording]

[prompting/2fa/sshd]
single_prompt = True
first_prompt = Please enter password + OTP token value:



[root@cypher ~]# ssh cypher.testrelm0513.test -l testuser1
Please enter password + OTP token value:

Last login: Thu May 16 10:09:42 2019 from cypher.testrelm0513.test
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
                 This System is reserved by mvarun.

 To return this system early. You can run the command: return2beaker.sh
  Ensure you have your logs off the system before returning to Beaker

 To extend your reservation time. You can run the command:
  extendtesttime.sh
 This is an interactive script. You will be prompted for how many
  hours you would like to extend the reservation.

 You should verify the watchdog was updated succesfully after
  you extend your reservation.
  https://beaker.engineering.redhat.com/recipes/6866155

 For ssh, kvm, serial and power control operations please look here:
  https://beaker.engineering.redhat.com/view/cypher.testrelm0513.test

 For the default root password, see:
  https://beaker.engineering.redhat.com/prefs/

      Beaker Test information:
                         HOSTNAME=cypher.testrelm0513.test
                            JOBID=3537008
                         RECIPEID=6866155
                    RESULT_SERVER=
                           DISTRO=RHEL-7.7-20190514.n.0
                     ARCHITECTURE=x86_64

      Job Whiteboard: IPA :: RHEL 7.7 :: x86_64 :: Quickinstall (with replica/client) TESTRELM0513

      Recipe Whiteboard: IPA MASTER
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Could not chdir to home directory /home/testuser1: No such file or directory
-sh-4.2$ 
-sh-4.2$ 

Based on the above observation, marking the bug VERIFIED

Comment 36 Luc de Louw 2019-05-28 08:58:21 UTC
(In reply to Varun Mylaraiah from comment #35)
 
> [prompting/2fa/sshd]
> single_prompt = True
> first_prompt = Please enter password + OTP token value:

Can sshd be replaced with any other PAM authentication? i.e. 

[prompting/2fa/openvpn]
single_prompt = True
first_prompt = "Blah"

Thanks,

Luc

Comment 37 Sumit Bose 2019-05-28 09:09:21 UTC
(In reply to Luc de Louw from comment #36)
> (In reply to Varun Mylaraiah from comment #35)
>  
> > [prompting/2fa/sshd]
> > single_prompt = True
> > first_prompt = Please enter password + OTP token value:
> 
> Can sshd be replaced with any other PAM authentication? i.e. 
> 
> [prompting/2fa/openvpn]
> single_prompt = True
> first_prompt = "Blah"

Yes, the optional third part of the section name can specify a PAM service name so that the settings are only valid for this specific service. See man sssd.conf for details.

HTH

bye,
Sumit

> 
> Thanks,
> 
> Luc

Comment 38 Aaron Hicks 2019-06-09 22:49:52 UTC
There seems to be no mention of the 'prompting' configuration option in the man pages.

For sssd 1.16.4:
https://jhrozek.fedorapeople.org/sssd/1.16.4/sssd.conf.5.html

For for sssd 2.0.0:
https://jhrozek.fedorapeople.org/sssd/2.0.0/man/sssd.conf.5.html

If these are not the current or correct documents, can you please link to online versions of the documentation that describe the features discussed?

Comment 39 Aaron Hicks 2019-06-09 22:54:49 UTC
A follow on question, are these features in sssd 2.0.0?

Comment 42 Sumit Bose 2019-06-18 08:52:18 UTC
(In reply to Aaron Hicks from comment #38)
> There seems to be no mention of the 'prompting' configuration option in the
> man pages.
> 
> For sssd 1.16.4:
> https://jhrozek.fedorapeople.org/sssd/1.16.4/sssd.conf.5.html
> 
> For for sssd 2.0.0:
> https://jhrozek.fedorapeople.org/sssd/2.0.0/man/sssd.conf.5.html
> 
> If these are not the current or correct documents, can you please link to
> online versions of the documentation that describe the features discussed?

Sorry, this is only available in the latest upstream release 2.2.0 https://jhrozek.fedorapeople.org/sssd/2.2.0/man/sssd.conf.5.html.

Comment 47 errata-xmlrpc 2019-08-06 13:02:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2177

Comment 51 Sumit Bose 2019-09-20 11:54:20 UTC
Created attachment 1617187 [details]
test build

Please find attached a test build for this feature.

Please note that there is a know issues with the configuration of the feature https://bugzilla.redhat.com/show_bug.cgi?id=1749279. See the description of the other ticket for a workaround,

bye,
Sumit

Comment 52 Florence Blanc-Renaud 2020-03-12 13:00:54 UTC
Test added upstream in freeipa workspace:
 ipatests/test_integration/test_otp.py::TestOTPToken::test_2fa_enable_single_prompt
 ipatests/test_integration/test_otp.py::TestOTPToken::test_2fa_disable_single_prompt

master:
    8007cec ipatests: Added test when 2FA prompting configurations is set.
ipa-4-8:
    dcdcbe3 ipatests: Added test when 2FA prompting configurations is set.
ipa-4-7:
    85b595a Add test case for OTP login
    40359d2 ipatests: Added test when 2FA prompting configurations is set.
ipa-4-6:
    cabb7ab Add test case for OTP login
    b36c4a7 ipatests: Added test when 2FA prompting configurations is set.
    734121f Mark xfail for tests using sssd-1.16.3


Note You need to log in before you can comment on or make changes to this bug.