#3585 Reset password with two factor authentication fails
Closed: Fixed 4 years ago Opened 4 years ago by hicksaw.

In the case where a user has an expired password and an OTP token for second factor set, the user can not reset their password.

The expected outcome is that a user with an expired password and a valid token connects to a host via ssh is that pre-auth will discover that the user has an expired password and an OTP token from the directory (we use FreeIPA), then the user authorises with only the expired password, goes through the password reset process, and is then disconnected.

What happens is the user connects via ssh, is asked for their password, then the Current Password: prompt appears, fails and returns to the password: prompt. The password reset fails. So all connections are locked out.

Pretty sure it's a case covered by the TODO here: https://pagure.io/SSSD/sssd/blob/master/f/src/providers/ipa/ipa_auth.c#_395

More detail posted to the FreeIPA user list: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/I2ADJSI47I7R3KOEDBG2PDOHY7GFT4JH/#RKOE6BB6KK2EUSMQM6NF25WX6BTIL5L5


Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.0

4 years ago

Metadata Update from @jhrozek:
- Issue priority set to: major

4 years ago

Metadata Update from @jhrozek:
- Issue tagged with: bug

4 years ago

In addition pam_sss says "Second Factor (optional):" when the second factor is required.

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1523019

4 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

4 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.1 (was: SSSD 2.0)

4 years ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4609

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata