#2971 SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo
Closed: Fixed None Opened 4 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1315766

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
SSSD pam module does not appear to support two factor authentication when using
with sudo. PAM can show multiple password prompts, e.g. for 2-Factor
authorization. But sudo seems to be limited to one password prompt.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Use SSSD with IPA as backend
2. use standard authconfig pam configuration for sssd
3. Enable OTP for a user in IPA
4. try sudo for this user.

Actual results:
* Listing the sudo rules or trying to become root fails.

bash-4.2$ sudo -l
First Factor:
Sorry, try again.
First Factor:
Sorry, try again.
First Factor:
Sorry, try again.
sudo: 3 incorrect password attempts

Expected results:
bash-4.2$ sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

First Factor:
Second Factor:
sudouser is not allowed to run sudo on server1.  This incident will be

bash-4.2$ sudo bash
First Factor:
Second Factor:
[root@server1 /]#

Additional info:

Fedora bugzilla : https://bugzilla.redhat.com/show_bug.cgi?id=1276868
Test build is available at :

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => sbose
patch: 0 => 1
review: True => 0
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1315766 1315766] => [https://bugzilla.redhat.com/show_bug.cgi?id=1315766 1315766] [https://bugzilla.redhat.com/show_bug.cgi?id=1276868 1276868]
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.4

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.4

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4012

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.