Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1695573 - [RFE] Make 2FA prompting configurable
Summary: [RFE] Make 2FA prompting configurable
Keywords:
Status: POST
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: SSSD Maintainers
QA Contact: sssd-qe
URL:
Whiteboard:
Depends On: 1402056
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-03 11:49 UTC by Jakub Hrozek
Modified: 2019-04-10 19:38 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of: 1402056
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Jakub Hrozek 2019-04-03 11:49:29 UTC
+++ This bug was initially created as a clone of Bug #1402056 +++

Description of problem:
Currently when 2-factor authentication is configured on the server side SSSD prompts for:

    First Factor: 
    Second Factor: 

To be able to change the prompts to give the user a better hint what to enter in a given environment or to short-cut it to a single prompt where both factors are entered in a single string new config options should be added to sssd.conf.

--- Additional comment from Jakub Hrozek on 2016-12-08 16:14:46 UTC ---

Upstream ticket:
https://fedorahosted.org/sssd/ticket/3264

--- Additional comment from  on 2016-12-09 17:49:42 UTC ---

 === In Red Hat Customer Portal Case 01750586 ===
--- Comment by Ludhwani, Kushal on 9/12/2016 11:19 PM ---

Hello Mathieu,

Yes that bugzilla link sums up RFE.

Also we have open upstream ticket to track the RFE.

---
https://fedorahosted.org/sssd/ticket/3264
---

Also thanks for your suggestion i am sharing your suggestion with engineering team and will let you know feedback for that.

Thanks,
Kushal Ludhwani,
Technical Support Engineer

--- Additional comment from  on 2016-12-09 17:51:45 UTC ---

Hello,

Please ignore the above comment, Sorry for spam.

My customer has a suggestion for this requirement.

---
The other option would have a config dropbox in the radius proxy configuration page on the IDM server to give the option of 2 Factor prompt or 1 Factor prompt. Then have the local SSSD client to check that config to properly prompt the user based on the settings.
---

--- Additional comment from RHEL Product and Program Management on 2016-12-15 15:32:47 UTC ---

Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

--- Additional comment from Jakub Hrozek on 2016-12-15 15:36:42 UTC ---

I'm sorry, I didn't mean to dev_nack the bug, reopening.

--- Additional comment from Luc de Louw on 2016-12-19 08:44:27 UTC ---

Instead of two lines it would be nice to have a hint in one line: 

client:~# ssh server -l user
user@server's password: 

and 

client:~# ssh server -l user
user@server's password+otp:

Having just one prompt is more Yubikey friendly as one just needs to provide the password and touch the Yubikey

Additional use case: Mobile (Android etc.) clients (probably others) that have an own passwd prompt and submit the password in one string do not work with the current situation

Thanks

--- Additional comment from  on 2017-03-30 16:47:21 UTC ---

Hello,

Do we have any update on bugzilla?

Thanks,
Kushal

--- Additional comment from Jakub Hrozek on 2017-03-30 18:18:53 UTC ---

(In reply to kludhwan from comment #7)
> Hello,
> 
> Do we have any update on bugzilla?
> 
> Thanks,
> Kushal

Currently the fix is not planned for 7.4 and we are currently already behind the devel freeze. If there is a customer who needs this urgently, I would advise to contact PM.

--- Additional comment from Jakub Hrozek on 2017-08-10 09:58:28 UTC ---

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3458

--- Additional comment from Jakub Hrozek on 2017-08-10 18:07:31 UTC ---

(This how to test is a little hand-wavy because the solution will involve a new option and I don't know exactly how will it be named etc..)

So currently the only service that can handle both prompts in a single line is sshd. The fix would be about making that configurable, so the admin would be able to configure another service (e.g. su, login, ...) and then log in using the first and second factor given on a single line.

--- Additional comment from Jakub Hrozek on 2017-08-21 13:56:57 UTC ---



--- Additional comment from RHEL Product and Program Management on 2017-08-22 08:41:33 UTC ---

Since this bug report now has devel_ack+, the Devel Conditional
NAK state is no longer valid and has been cleared.

--- Additional comment from Sumit Bose on 2017-08-30 09:25:38 UTC ---



--- Additional comment from Sumit Bose on 2017-08-30 16:12:58 UTC ---



--- Additional comment from  on 2017-09-05 20:44:41 UTC ---

Jakub Can you please recheck and confirm if upstream bugzilla is correct.

https://pagure.io/SSSD/sssd/issue/3458

Explanation seems different then this bug.

--- Additional comment from Jakub Hrozek on 2017-09-06 07:20:49 UTC ---

(In reply to kludhwan from comment #15)
> Jakub Can you please recheck and confirm if upstream bugzilla is correct.
> 
> https://pagure.io/SSSD/sssd/issue/3458
> 
> Explanation seems different then this bug.

Of course it's wrong, nice catch. The proper upstream ticket is https://pagure.io/SSSD/sssd/issue/3264

--- Additional comment from Jakub Hrozek on 2017-11-28 10:51:22 UTC ---

Since the RFE was not developed and accepted upstream yet, I moved the BZ to RHEL-7.6

--- Additional comment from Jakub Hrozek on 2018-06-07 09:37:47 UTC ---

After talking to Sumit, solving this RFE in a generic way is not realistic to be done in 7.6. Therefore moving to 7.7 for now.

--- Additional comment from Luc de Louw on 2018-09-28 08:50:45 UTC ---

Customer SwissSign would also like this feature to be implemented.

Usecase: OpenVPN with PAM authentication. It does not work if 2FA is enabled in IPA, regardless if it is mandatory or optional.

Workaround: Create an own pam file for OpenVPN and configure that pam file to use just LDAP authentication. Ugly, but it works. The ugly thing is that expired passwords are not reflected because the usage of the compat LDAP tree.

Thanks,

Luc

--- Additional comment from Jered Floyd on 2018-10-11 03:00:12 UTC ---

If I'm not mistaken, it appears that libreswan+OTP as described in this solution no longer works: https://access.redhat.com/solutions/2050913 as a regression due to implementing multiple auth methods.  Should this article be updated?

--- Additional comment from  on 2018-10-30 08:19:35 UTC ---

Customer' comment#6 on case#02236640:
While this would allow us to correct the fault if the prompts were configurable, it still does not address that in it's current state the end user is being misled by the default prompts.

--- Additional comment from  on 2018-11-16 16:50:00 UTC ---

Hello,

Do we have any update for the customer?

Thanks,
kushal

--- Additional comment from Sumit Bose on 2018-11-16 17:32:19 UTC ---

(In reply to kludhwan from comment #22)
> Hello,
> 
> Do we have any update for the customer?
> 
> Thanks,
> kushal

RHEL-7.7 is currently in the planning phase and so far this ticket is considered for this release. But please note that nothing is decided yet.

--- Additional comment from Jakub Hrozek on 2019-02-07 14:18:00 UTC ---

Hi Kaleem,
this bug slipped the acking it seems. Can you provide the qa_ack, please?

--- Additional comment from Deepak Das on 2019-02-12 09:07:51 UTC ---

Customer in case 02291747 has raised following requirement hence highlighted the requirement in this bugzilla as the RFE is similar. 

------------------------------------------------------------------------------------------------------------------------------------------------
Pam_sss will do FAST/OTP to Kerberos (non-freeipa) which uses radius on backend to verify. But this requires entry to both first and second factor. This prevent ssh using pam and the pam_sss module from ever being able to use FAST/OTP because multiple prompts are not possible.  If the OTP is provided on the First Factor then ECHallenge (timestamp) is used, which it appears that is what is happening to ssh.   How can I have pam_sss use FAST/OTP with a single OTP?   pam_sss checks to see that the KDC supports OTP, which is why it prompts with First and Second factor.   So why in the sssd.conf can't I say try FAST/OTP first?
------------------------------------------------------------------------------------------------------------------------------------------------

--- Additional comment from Scott Spurrier on 2019-02-20 21:00:19 UTC ---

Can we please get an update to the questions asked in comment #25?

--- Additional comment from Sumit Bose on 2019-02-21 06:20:23 UTC ---

(In reply to Scott Spurrier from comment #26)
> Can we please get an update to the questions asked in comment #25?

It is currently not possible to configure SSSD/pam_sss to ask for first and second factor in a single prompt. This will be solved with this RFE.

HTH

bye,
Sumit

--- Additional comment from Jakub Hrozek on 2019-04-01 21:14:19 UTC ---

master:
45efba7
a4d1785
fc26b4a
ac4b33f
fa8ef7c

(backport on review)


Note You need to log in before you can comment on or make changes to this bug.