Learn more about these different git repos.
Other Git URLs
See
if (resp[1].resp == NULL || *(resp[1].resp) == '\0' || (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0 && strcmp(resp[0].resp, resp[1].resp) == 0)) { /* Missing second factor, assume first factor contains combined 2FA * credentials. * Special handling for SSH with password authentication. Combined * 2FA credentials are used but SSH puts them in both responses. */
in
https://github.com/SSSD/sssd/blob/818d01b4a0d332fff06db33c0c985b8c0f1417c7/src/sss_client/pam_sss.c
This code allows only SSHD to combine two factors together but other services might be doing that too.
User story: From my application that uses PAM for authentication (WebApp/Radius/Tacacs) I would like to use SSSD for 2FA authentication against IdM. I would like to combine both factors in one prompt for the service I use so that I do not have to implement double prompting in my application.
Proposed approach: 1. SSSD config single_prompt = sshd, my_app, another_app 2. Pseudo code
if (resp[1].resp == NULL || *(resp[1].resp) == '\0' || (pi->pam_service != NULL && in_single_prompt_list(pi->pam_service, single_prompt_list) == 0 && strcmp(resp[0].resp, resp[1].resp) == 0)) { ...
Alternative approach is to not require the second prompt at all. If users got two prompts but entered everything on the first line it should be OK.
The "alternative approach" is already available.
If there is no reply to the second prompt (resp[1].resp == NULL || *(resp[1].resp) == '\0') then this code path is taken as well.
The special handling of sshd is not about putting password and OTP in a single value but the behavior of the conversation callback of sshd to put the single input from the user into every reply.
But there is one thing to keep in mind. pam_sss will send the data to SSSD flagged as password. If the user is configured for 2FA then the backend will assume the input is a password and OTP in a single string. But is the user is configured for both 2FA or 1FA then this input will only be used for the password (1FA) authentication. There will be no fallback to 2FA because one of the original principal of SSSD was that the credentials will be only used once and not tried as long an authentication methods is successful.
There is a more general ticket https://pagure.io/SSSD/sssd/issue/3264. Would you agree to copy your user story to https://pagure.io/SSSD/sssd/issue/3264 and close this ticket as duplicate?
To sum up today's sssd meeting discussion:
Some application that prompt on their own run the pam conversation internally but now sssd is asking for two secrets (pass/otp), while the user can press enter for the second prompt. sshd puts the same content (pass+otp) into both prompts and pam_sss checks if the service is sshd and the prompts are compared. We might remove the sshd service comparison and allow this for the general case.
We will clone this ticket to track removal of the sshd special-case and keep ticket #3264 to track to more generic solution.
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1466504
Issue linked to Bugzilla: Bug 1466504
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1466505 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1466504)
Issue linked to Bugzilla: Bug 1466505
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1466504 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1466505)
Moving to future releases because it's not clear if this ticket will end up in the next release or the one after that, but we have a downstream tracker to remind us if downstream needs the issue sooner. Alternatively, please holler if this bug is affecting you!
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD Future releases (no date set yet)
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.0 (was: SSSD Future releases (no date set yet))
Metadata Update from @jhrozek: - Issue priority set to: major
Metadata Update from @jhrozek: - Issue tagged with: RFE
As one of the earlier comments say, this is a duplicate of issue #3264. Closing as such.
Metadata Update from @jhrozek: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4465
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.