#2971 SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo
Closed: Fixed None Opened 3 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1315766

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
SSSD pam module does not appear to support two factor authentication when using
with sudo. PAM can show multiple password prompts, e.g. for 2-Factor
authorization. But sudo seems to be limited to one password prompt.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Use SSSD with IPA as backend
2. use standard authconfig pam configuration for sssd
3. Enable OTP for a user in IPA
4. try sudo for this user.

Actual results:
* Listing the sudo rules or trying to become root fails.

bash-4.2$ sudo -l
First Factor:
Sorry, try again.
First Factor:
Sorry, try again.
First Factor:
Sorry, try again.
sudo: 3 incorrect password attempts

Expected results:
bash-4.2$ sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

First Factor:
Second Factor:
sudouser is not allowed to run sudo on server1.  This incident will be

bash-4.2$ sudo bash
First Factor:
Second Factor:
[root@server1 /]#

Additional info:

Fedora bugzilla : https://bugzilla.redhat.com/show_bug.cgi?id=1276868
Test build is available at :

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => sbose
patch: 0 => 1
review: True => 0
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1315766 1315766] => [https://bugzilla.redhat.com/show_bug.cgi?id=1315766 1315766] [https://bugzilla.redhat.com/show_bug.cgi?id=1276868 1276868]
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.4

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.4

2 years ago

Login to comment on this ticket.