Hello, I installed a brand new IPA server to a clean Centos 7.2 and a
brand new client to a clean Centos 7.2 install. My main requirement for
this is using 2FA.
Seeing this was my main reason for trying IPA, so far the results are
frustrating. I cannot assign 2FA to the 'admin' user on the IPA server
so I can perform admin.
Another issue is that even when I sucessfully log in with my 'test'
user. I can run 'klist' and there is a ticket. But if I type 'kinit
test' (same user I already have a ticket for),
I see 'kinit: Generic preauthentication failure while getting initial
credentials'
And the main reason I am posting - sudo 2FA:
To test, I created a new usergroup called 'superusers'. And defined a
sudo rule for 'ALL'. When I log in using a 2FA enabled account and type
'sudo -l' I get the
loop of
-sh-4.2$ sudo -l
First Factor:
Sorry, try again.
First Factor:
It will not accept the correct password.
If I disable 2FA for this user it works fine. Or if I add a
'!authenticate' option to the rule it works. Obviously both solutions
defeat the entire concept of using 2FA.
sudo_debug log log shows:
May 21 13:56:33 sudo[5251] -> expand_prompt @ ./check.c:287
May 21 13:56:33 sudo[5251] <- expand_prompt @ ./check.c:398 := [sudo]
password for test:
May 21 13:56:33 sudo[5251] -> verify_user @ ./auth/sudo_auth.c:193
May 21 13:56:33 sudo[5251] -> sudo_pam_verify @ ./auth/pam.c:131
May 21 13:56:33 sudo[5251] -> converse @ ./auth/pam.c:305
May 21 13:56:33 sudo[5251] -> auth_getpass @ ./auth/sudo_auth.c:347
May 21 13:56:33 sudo[5251] -> tgetpass @ ./tgetpass.c:76
May 21 13:56:33 sudo[5251] -> tty_present @ ./tgetpass.c:329
May 21 13:56:33 sudo[5251] <- tty_present @ ./tgetpass.c:333 := true
May 21 13:56:33 sudo[5251] -> term_noecho @ ./term.c:88
May 21 13:56:33 sudo[5251] <- term_noecho @ ./term.c:99 := 1
May 21 13:56:33 sudo[5251] -> getln @ ./tgetpass.c:272
May 21 13:57:20 sudo[5251] <- getln @ ./tgetpass.c:315 := ********
May 21 13:57:20 sudo[5251] -> term_restore @ ./term.c:73
May 21 13:57:20 sudo[5251] <- term_restore @ ./term.c:82 := 1
May 21 13:57:20 sudo[5251] <- tgetpass @ ./tgetpass.c:202 := ********
May 21 13:57:20 sudo[5251] <- auth_getpass @ ./auth/sudo_auth.c:365 :=
********
May 21 13:57:20 sudo[5251] <- converse @ ./auth/pam.c:387 := 19
May 21 13:57:20 sudo[5251] <- sudo_pam_verify @ ./auth/pam.c:177 := 1
May 21 13:57:20 sudo[5251] -> pass_warn @ ./auth/sudo_auth.c:331
May 21 13:57:20 sudo[5251] <- pass_warn @ ./auth/sudo_auth.c:339
May 21 13:57:20 sudo[5251] -> sudo_pam_verify @ ./auth/pam.c:131
May 21 13:57:21 sudo[5251] -> converse @ ./auth/pam.c:305
May 21 13:57:21 sudo[5251] -> auth_getpass @ ./auth/sudo_auth.c:347
May 21 13:57:21 sudo[5251] -> tgetpass @ ./tgetpass.c:76
May 21 13:57:21 sudo[5251] -> tty_present @ ./tgetpass.c:329
May 21 13:57:21 sudo[5251] <- tty_present @ ./tgetpass.c:333 := true
May 21 13:57:21 sudo[5251] -> term_noecho @ ./term.c:88
May 21 13:57:21 sudo[5251] <- term_noecho @ ./term.c:99 := 1
May 21 13:57:21 sudo[5251] -> getln @ ./tgetpass.c:272
The expand_prompt is not the prompt I am seeing for the 2FA case, it is
the 'First Factor:' prompt similar to a console login.
In the sssd log, I also see before I am prompted for the 'First Factor:'.
(Sat May 21 14:19:21 2016) [sssd[be[ [krb5_auth_store_creds] (0x0010):
unsupported PAM command [249].
(Sat May 21 14:19:21 2016) [sssd[be[ [krb5_auth_store_creds] (0x0010):
password not available, offline auth may not work.
Everytime I enter the password for the 'First Factor' prompt, I see an
entry on the IPA server KDC with 'NEEDED_PREAUTH: test@...'. I think
that is normal, but I never see an eventual ticket issue like I do with
console/ssh login.
Any suggestions/help on getting sudo with 2FA working?
Thanks,
Ken
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
