RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1695573 - [RFE] Make 2FA prompting configurable
Summary: [RFE] Make 2FA prompting configurable
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: SSSD Maintainers
QA Contact: ipa-qe
URL:
Whiteboard: sync-to-jira
Depends On: 1402056
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-03 11:49 UTC by Jakub Hrozek
Modified: 2020-10-14 21:54 UTC (History)
27 users (show)

Fixed In Version: sssd-2.2.0-1.el8
Doc Type: Enhancement
Doc Text:
Clone Of: 1402056
Environment:
Last Closed: 2020-04-28 16:55:59 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4297 0 None closed [RFE] Make 2FA prompting configurable 2020-10-13 08:29:24 UTC
Red Hat Product Errata RHBA-2020:1863 0 None None None 2020-04-28 16:56:22 UTC

Description Jakub Hrozek 2019-04-03 11:49:29 UTC 
+++ This bug was initially created as a clone of Bug #1402056 +++

Description of problem:
Currently when 2-factor authentication is configured on the server side SSSD prompts for:

    First Factor: 
    Second Factor: 

To be able to change the prompts to give the user a better hint what to enter in a given environment or to short-cut it to a single prompt where both factors are entered in a single string new config options should be added to sssd.conf.

--- Additional comment from Jakub Hrozek on 2016-12-08 16:14:46 UTC ---

Upstream ticket:
https://fedorahosted.org/sssd/ticket/3264

--- Additional comment from  on 2016-12-09 17:49:42 UTC ---

 === In Red Hat Customer Portal Case 01750586 ===
--- Comment by Ludhwani, Kushal on 9/12/2016 11:19 PM ---

Hello Mathieu,

Yes that bugzilla link sums up RFE.

Also we have open upstream ticket to track the RFE.

---
https://fedorahosted.org/sssd/ticket/3264
---

Also thanks for your suggestion i am sharing your suggestion with engineering team and will let you know feedback for that.

Thanks,
Kushal Ludhwani,
Technical Support Engineer

--- Additional comment from  on 2016-12-09 17:51:45 UTC ---

Hello,

Please ignore the above comment, Sorry for spam.

My customer has a suggestion for this requirement.

---
The other option would have a config dropbox in the radius proxy configuration page on the IDM server to give the option of 2 Factor prompt or 1 Factor prompt. Then have the local SSSD client to check that config to properly prompt the user based on the settings.
---

--- Additional comment from RHEL Product and Program Management on 2016-12-15 15:32:47 UTC ---

Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

--- Additional comment from Jakub Hrozek on 2016-12-15 15:36:42 UTC ---

I'm sorry, I didn't mean to dev_nack the bug, reopening.

--- Additional comment from Luc de Louw on 2016-12-19 08:44:27 UTC ---

Instead of two lines it would be nice to have a hint in one line: 

client:~# ssh server -l user
user@server's password: 

and 

client:~# ssh server -l user
user@server's password+otp:

Having just one prompt is more Yubikey friendly as one just needs to provide the password and touch the Yubikey

Additional use case: Mobile (Android etc.) clients (probably others) that have an own passwd prompt and submit the password in one string do not work with the current situation

Thanks

--- Additional comment from  on 2017-03-30 16:47:21 UTC ---

Hello,

Do we have any update on bugzilla?

Thanks,
Kushal

--- Additional comment from Jakub Hrozek on 2017-03-30 18:18:53 UTC ---

(In reply to kludhwan from comment #7)
> Hello,
> 
> Do we have any update on bugzilla?
> 
> Thanks,
> Kushal

Currently the fix is not planned for 7.4 and we are currently already behind the devel freeze. If there is a customer who needs this urgently, I would advise to contact PM.

--- Additional comment from Jakub Hrozek on 2017-08-10 09:58:28 UTC ---

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3458

--- Additional comment from Jakub Hrozek on 2017-08-10 18:07:31 UTC ---

(This how to test is a little hand-wavy because the solution will involve a new option and I don't know exactly how will it be named etc..)

So currently the only service that can handle both prompts in a single line is sshd. The fix would be about making that configurable, so the admin would be able to configure another service (e.g. su, login, ...) and then log in using the first and second factor given on a single line.

--- Additional comment from Jakub Hrozek on 2017-08-21 13:56:57 UTC ---



--- Additional comment from RHEL Product and Program Management on 2017-08-22 08:41:33 UTC ---

Since this bug report now has devel_ack+, the Devel Conditional
NAK state is no longer valid and has been cleared.

--- Additional comment from Sumit Bose on 2017-08-30 09:25:38 UTC ---



--- Additional comment from Sumit Bose on 2017-08-30 16:12:58 UTC ---



--- Additional comment from  on 2017-09-05 20:44:41 UTC ---

Jakub Can you please recheck and confirm if upstream bugzilla is correct.

https://pagure.io/SSSD/sssd/issue/3458

Explanation seems different then this bug.

--- Additional comment from Jakub Hrozek on 2017-09-06 07:20:49 UTC ---

(In reply to kludhwan from comment #15)
> Jakub Can you please recheck and confirm if upstream bugzilla is correct.
> 
> https://pagure.io/SSSD/sssd/issue/3458
> 
> Explanation seems different then this bug.

Of course it's wrong, nice catch. The proper upstream ticket is https://pagure.io/SSSD/sssd/issue/3264

--- Additional comment from Jakub Hrozek on 2017-11-28 10:51:22 UTC ---

Since the RFE was not developed and accepted upstream yet, I moved the BZ to RHEL-7.6

--- Additional comment from Jakub Hrozek on 2018-06-07 09:37:47 UTC ---

After talking to Sumit, solving this RFE in a generic way is not realistic to be done in 7.6. Therefore moving to 7.7 for now.

--- Additional comment from Luc de Louw on 2018-09-28 08:50:45 UTC ---

Customer SwissSign would also like this feature to be implemented.

Usecase: OpenVPN with PAM authentication. It does not work if 2FA is enabled in IPA, regardless if it is mandatory or optional.

Workaround: Create an own pam file for OpenVPN and configure that pam file to use just LDAP authentication. Ugly, but it works. The ugly thing is that expired passwords are not reflected because the usage of the compat LDAP tree.

Thanks,

Luc

--- Additional comment from Jered Floyd on 2018-10-11 03:00:12 UTC ---

If I'm not mistaken, it appears that libreswan+OTP as described in this solution no longer works: https://access.redhat.com/solutions/2050913 as a regression due to implementing multiple auth methods.  Should this article be updated?

--- Additional comment from  on 2018-10-30 08:19:35 UTC ---

Customer' comment#6 on case#02236640:
While this would allow us to correct the fault if the prompts were configurable, it still does not address that in it's current state the end user is being misled by the default prompts.

--- Additional comment from  on 2018-11-16 16:50:00 UTC ---

Hello,

Do we have any update for the customer?

Thanks,
kushal

--- Additional comment from Sumit Bose on 2018-11-16 17:32:19 UTC ---

(In reply to kludhwan from comment #22)
> Hello,
> 
> Do we have any update for the customer?
> 
> Thanks,
> kushal

RHEL-7.7 is currently in the planning phase and so far this ticket is considered for this release. But please note that nothing is decided yet.

--- Additional comment from Jakub Hrozek on 2019-02-07 14:18:00 UTC ---

Hi Kaleem,
this bug slipped the acking it seems. Can you provide the qa_ack, please?

--- Additional comment from Deepak Das on 2019-02-12 09:07:51 UTC ---

Customer in case 02291747 has raised following requirement hence highlighted the requirement in this bugzilla as the RFE is similar. 

------------------------------------------------------------------------------------------------------------------------------------------------
Pam_sss will do FAST/OTP to Kerberos (non-freeipa) which uses radius on backend to verify. But this requires entry to both first and second factor. This prevent ssh using pam and the pam_sss module from ever being able to use FAST/OTP because multiple prompts are not possible.  If the OTP is provided on the First Factor then ECHallenge (timestamp) is used, which it appears that is what is happening to ssh.   How can I have pam_sss use FAST/OTP with a single OTP?   pam_sss checks to see that the KDC supports OTP, which is why it prompts with First and Second factor.   So why in the sssd.conf can't I say try FAST/OTP first?
------------------------------------------------------------------------------------------------------------------------------------------------

--- Additional comment from Scott Spurrier on 2019-02-20 21:00:19 UTC ---

Can we please get an update to the questions asked in comment #25?

--- Additional comment from Sumit Bose on 2019-02-21 06:20:23 UTC ---

(In reply to Scott Spurrier from comment #26)
> Can we please get an update to the questions asked in comment #25?

It is currently not possible to configure SSSD/pam_sss to ask for first and second factor in a single prompt. This will be solved with this RFE.

HTH

bye,
Sumit

--- Additional comment from Jakub Hrozek on 2019-04-01 21:14:19 UTC ---

master:
45efba7
a4d1785
fc26b4a
ac4b33f
fa8ef7c

(backport on review)
Comment 1 Michal Zidek 2020-01-15 12:15:07 UTC 
This bug was fixed as part of the rebase we did in RHEL 8.2.0. It would be good to fully ack it and include in the erratum.
Comment 2 Michal Zidek 2020-02-05 13:41:22 UTC 
As was mentioned previously this bug was fixed as part of the rebase, but we can not add it to the advisory without exception at this stage.
Comment 5 Michal Zidek 2020-02-05 13:56:12 UTC 
Sorry for spam. Looks like the exception was not needed to get it to the advisory (since it is already fixed in dist-git for a while). It was only missing internal target release. So I am removing the exception request.
Comment 6 anuja 2020-03-03 09:00:16 UTC 
Verified Using Version:
sssd-ipa-2.2.3-17.el8.x86_64
ipa-server-4.8.4-6.module+el8.2.0+5773+68ace8c5.x86_64

Test-console log:
-----------------------------------------------------------------
============================================================== test session starts ===============================================================
platform linux -- Python 3.7.6, pytest-4.6.9, py-1.8.0, pluggy-0.12.0 -- /usr/bin/python3
cachedir: /root/freeipa/ipatests/.pytest_cache
metadata: {'Python': '3.7.6', 'Platform': 'Linux-5.3.7-301.fc31.x86_64-x86_64-with-fedora-31-Thirty_One', 'Packages': {'pytest': '4.6.9', 'py': '1.8.0', 'pluggy': '0.12.0'}, 'Plugins': {'metadata': '1.8.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.7/site-packages/ipatests
plugins: metadata-1.8.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collected 6 items                                                                                                                                

test_integration/test_otp.py::TestOTPToken::test_otp_auth_ind PASSED                                                                       [ 16%]
test_integration/test_otp.py::TestOTPToken::test_hopt PASSED                                                                               [ 33%]
test_integration/test_otp.py::TestOTPToken::test_totp PASSED                                                                               [ 50%]
test_integration/test_otp.py::TestOTPToken::test_otptoken_sync PASSED                                                                      [ 66%]
test_integration/test_otp.py::TestOTPToken::test_2fa_enable_single_prompt PASSED                                                           [ 83%]
test_integration/test_otp.py::TestOTPToken::test_2fa_disable_single_prompt PASSED                                                          [100%]


------------------------------------------------------ generated xml file: /root/junit.xml -------------------------------------------------------
===================================================== 6 passed in 575.36 seconds =====================================================
[root@runner ipatests]#
Comment 8 errata-xmlrpc 2020-04-28 16:55:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1863
Note You need to log in before you can comment on or make changes to this bug.