#4023 Log the type of the auth token as string, not just number
Closed: wontfix a year ago by pbrezina. Opened 2 years ago by yhal.

It would be helpful to diagnose second factor problems if we could check the user has tried entering it (or, say, using a client that does not support OTP). Something along the lines of:

    m[0].msg_style = PAM_PROMPT_ECHO_OFF;
    m[0].msg = prompt_fa1;
    m[1].msg_style = PAM_PROMPT_ECHO_OFF;
    m[1].msg = prompt_fa2;
    if (m[1].msg == NULL || strlen(m[1].msg) == 0) {
        D(("otp is empty or NULL"));
    }

Hi,

I can already see if only one or two factors were entered in the logs in the pam_print_data blocks:

(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): domain: ad.devel
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): user: tu1
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): service: su-l
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): ruser: sbose
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 4756
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): logon name: tu1@ad.devel
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): flags: 2

where authtok type: 1 means single password and 3 means 2FA. Does this already help? If yes, I would use this ticket to not only print a number but a description as well.

bye,
Sumit

Yep this is helpful. What does "authtok type: 0" mean? We have quite a few of these.

Cheers,
Yuriy

Yep this is helpful. What does "authtok type: 0" mean? We have quite a few of these.

Hi,

as you might have guessed 0 means that there are no credentials in the current PAM data. Credentials are only used for authentication, so they are available only during SSS_PAM_AUTHENTICATE. All other steps like access control, pre-auth, open and close session do not need them an have authtok type: 0.

HTH

bye,
Sumit

Cheers,
Yuriy

Metadata Update from @pbrezina:
- Issue tagged with: Canditate to close

a year ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4994

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata