Hello, I installed a brand new IPA server to a clean Centos 7.2 and a brand new client to a clean Centos 7.2 install. My main requirement for this is using 2FA.

Seeing this was my main reason for trying IPA, so far the results are frustrating. I cannot assign 2FA to the 'admin' user on the IPA server so I can perform admin. Another issue is that even when I sucessfully log in with my 'test' user. I can run 'klist' and there is a ticket. But if I type 'kinit test' (same user I already have a ticket for), I see 'kinit: Generic preauthentication failure while getting initial credentials'


And the main reason I am posting - sudo 2FA:

To test, I created a new usergroup called 'superusers'. And defined a sudo rule for 'ALL'. When I log in using a 2FA enabled account and type 'sudo -l' I get the
loop of

-sh-4.2$ sudo -l
First Factor:
Sorry, try again.
First Factor:

It will not accept the correct password.

If I disable 2FA for this user it works fine. Or if I add a '!authenticate' option to the rule it works. Obviously both solutions defeat the entire concept of using 2FA.

sudo_debug log log shows:

May 21 13:56:33 sudo[5251] -> expand_prompt @ ./check.c:287
May 21 13:56:33 sudo[5251] <- expand_prompt @ ./check.c:398 := [sudo] password for test:
May 21 13:56:33 sudo[5251] -> verify_user @ ./auth/sudo_auth.c:193
May 21 13:56:33 sudo[5251] -> sudo_pam_verify @ ./auth/pam.c:131
May 21 13:56:33 sudo[5251] -> converse @ ./auth/pam.c:305
May 21 13:56:33 sudo[5251] -> auth_getpass @ ./auth/sudo_auth.c:347
May 21 13:56:33 sudo[5251] -> tgetpass @ ./tgetpass.c:76
May 21 13:56:33 sudo[5251] -> tty_present @ ./tgetpass.c:329
May 21 13:56:33 sudo[5251] <- tty_present @ ./tgetpass.c:333 := true
May 21 13:56:33 sudo[5251] -> term_noecho @ ./term.c:88
May 21 13:56:33 sudo[5251] <- term_noecho @ ./term.c:99 := 1
May 21 13:56:33 sudo[5251] -> getln @ ./tgetpass.c:272
May 21 13:57:20 sudo[5251] <- getln @ ./tgetpass.c:315 := ********
May 21 13:57:20 sudo[5251] -> term_restore @ ./term.c:73
May 21 13:57:20 sudo[5251] <- term_restore @ ./term.c:82 := 1
May 21 13:57:20 sudo[5251] <- tgetpass @ ./tgetpass.c:202 := ********
May 21 13:57:20 sudo[5251] <- auth_getpass @ ./auth/sudo_auth.c:365 := ********
May 21 13:57:20 sudo[5251] <- converse @ ./auth/pam.c:387 := 19
May 21 13:57:20 sudo[5251] <- sudo_pam_verify @ ./auth/pam.c:177 := 1
May 21 13:57:20 sudo[5251] -> pass_warn @ ./auth/sudo_auth.c:331
May 21 13:57:20 sudo[5251] <- pass_warn @ ./auth/sudo_auth.c:339
May 21 13:57:20 sudo[5251] -> sudo_pam_verify @ ./auth/pam.c:131
May 21 13:57:21 sudo[5251] -> converse @ ./auth/pam.c:305
May 21 13:57:21 sudo[5251] -> auth_getpass @ ./auth/sudo_auth.c:347
May 21 13:57:21 sudo[5251] -> tgetpass @ ./tgetpass.c:76
May 21 13:57:21 sudo[5251] -> tty_present @ ./tgetpass.c:329
May 21 13:57:21 sudo[5251] <- tty_present @ ./tgetpass.c:333 := true
May 21 13:57:21 sudo[5251] -> term_noecho @ ./term.c:88
May 21 13:57:21 sudo[5251] <- term_noecho @ ./term.c:99 := 1
May 21 13:57:21 sudo[5251] -> getln @ ./tgetpass.c:272

The expand_prompt is not the prompt I am seeing for the 2FA case, it is the 'First Factor:' prompt similar to a console login.

In the sssd log, I also see before I am prompted for the 'First Factor:'.

(Sat May 21 14:19:21 2016) [sssd[be[ [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Sat May 21 14:19:21 2016) [sssd[be[ [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work.

Everytime I enter the password for the 'First Factor' prompt, I see an entry on the IPA server KDC with 'NEEDED_PREAUTH: test@...'. I think that is normal, but I never see an eventual ticket issue like I do with console/ssh login.

Any suggestions/help on getting sudo with 2FA working?
Thanks,
Ken

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to