The nightly test test_integration/test_otp.py::TestOTPToken::test_2fa_enable_single_prompt failed in testing_master_latest, in PR 4627. See the logs:
test_integration/test_otp.py::TestOTPToken::test_2fa_enable_single_prompt
self = <ipatests.test_integration.test_otp.TestOTPToken object at 0x7f5874e0a760> def test_2fa_enable_single_prompt(self): """Test ssh with 2FA when single prompt is enabled. Test for : https://pagure.io/SSSD/sssd/issue/3264 When [prompting/2fa/sshd] with single_prompt = True is set then during ssh it should be prompted with given message for first and second factor at once. """ master = self.master USER1 = 'sshuser1' sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF) first_prompt = 'Please enter password + OTP token value:' add_contents = textwrap.dedent(''' [prompting/2fa/sshd] single_prompt = True first_prompt = {0} ''').format(first_prompt) set_sssd_conf(master, add_contents) tasks.create_active_user(master, USER1, PASSWORD) tasks.kinit_admin(master) master.run_command(['ipa', 'user-mod', USER1, '--user-auth-type=otp']) try: otpuid, totp = add_otptoken(master, USER1, otptype='totp') master.run_command(['ipa', 'otptoken-show', otpuid]) otpvalue = totp.generate(int(time.time())).decode('ascii') answers = { first_prompt: '{0}{1}'.format(PASSWORD, otpvalue), } > ssh_2f(master.hostname, USER1, answers) test_integration/test_otp.py:254: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ test_integration/test_otp.py:105: in ssh_2f trans.auth_interactive(username, answer_handler) ../paramiko/transport.py:1633: in auth_interactive return self.auth_handler.wait_for_response(my_event) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = <paramiko.auth_handler.AuthHandler object at 0x7f5874d4c5e0> event = <threading.Event object at 0x7f5874d5af70> def wait_for_response(self, event): max_ts = None if self.transport.auth_timeout is not None: max_ts = time.time() + self.transport.auth_timeout while True: event.wait(0.1) if not self.transport.is_active(): e = self.transport.get_exception() if (e is None) or issubclass(e.__class__, EOFError): e = AuthenticationException("Authentication failed.") raise e if event.is_set(): break if max_ts is not None and max_ts <= time.time(): raise AuthenticationException("Authentication timeout.") if not self.is_authenticated(): e = self.transport.get_exception() if e is None: e = AuthenticationException("Authentication failed.") # this is horrible. Python Exception isn't yet descended from # object, so type(e) won't work. :( if issubclass(e.__class__, PartialAuthentication): return e.allowed_types > raise e E paramiko.ssh_exception.BadAuthenticationType: Bad authentication type; allowed types: ['publickey', 'gssapi-keyex', 'gssapi-with-mic', 'password'] ../paramiko/auth_handler.py:250: BadAuthenticationType
Metadata Update from @frenaud: - Issue tagged with: test-failure, tests
The test succeeds in fedora 31 but fails in fedora 32. In fedora 32, sshd has a drop-in directory /etc/ssh/sshd_config.d/ that allows to include additional configuration files and 05-redhat.conf is shipped in this directory, setting ChallengeResponseAuthentication no. As a consequence, the ssh client unconditionally just prompts for a password and the PAM conversation is not available.
ChallengeResponseAuthentication no
ipa-client-install is setting ChallengeResponseAuthentication yes but in the file /etc/ssh/sshd_config and it looks like the settings in 05-redhat.conf wins, resulting in ChallengeResponseAuthentication no.
ChallengeResponseAuthentication yes
/etc/ssh/sshd_config
We should probably also use a drop-in config file and make sure that it has higher priority.
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4839
master:
ipa-4-8:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field changelog adjusted to ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting "ChallengeResponseAuthentication yes" take precedence.
Fixing this created another problem, because the spec trigger doesn't ensure that sshd_config actually includes the snippet files: https://pagure.io/freeipa/issue/8535
sshd_config
Login to comment on this ticket.