Bug 726 – Sudo PAM Login should support multiple password prompts (e.g. Password + Token)

Bug 726 - Sudo PAM Login should support multiple password prompts (e.g. Password + Token)


Summary:	Sudo PAM Login should support multiple password prompts (e.g. Password + Token)

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudoers
Version:	1.8.14
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-10-31 11:37 MDT by David Kreitschmann
Modified:	2016-03-08 06:52 MST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Kreitschmann 2015-10-31 11:37:27 MDT

PAM can show multiple password prompts, e.g. for 2-Factor authorization. Sudo seems to be limited to one password prompt.

pam_sss in Fedora 22 and 23 will use the following prompt if 2FA in enabled for the user (using the FreeIPA Backend). 
First Factor: 
Second Factor: 

The second factor usually is provided by a OTP (hardware) token.

SUDO currently only uses the first prompt and stops after that.

$ sudo -s
First Factor: 
Sorry, try again
First Factor:

Comment 1 Todd C. Miller 2016-02-25 09:58:09 MST

Sudo's conversation function will iterate over the pam_message structures and prompt for each message so is pam_sss is using multiple prompts directly it should work.

It's also possible that pam_sss is simply stacking things with use_first_pass but I would expect that to work as well.

I don't have a FreeIPA server setup so I can't easily reproduce this.  Without knowing more about the pam.d config used by pam_sss to implement 2 factor authentication there's not much I can do.

Comment 2 David Kreitschmann 2016-02-25 10:33:26 MST

Here is the relevant part of the pam config (taken from fedora 22)
It seems to me that sudo doesn't iterate over all prompts.
All other pam services which I checked use the same system-auth file. 

This is what should happen:
$ su username
First Factor: 
Second Factor: 
su: Fehler bei Authentifizierung

An authentication error will only be shown after both factors were typed in. So sudo definitely quits before the conversation is finished.

/etc/pam.d/sudo
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth

/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

Comment 3 David Kreitschmann 2016-03-08 06:52:27 MST

The issue has been solved within sssd:

https://bugzilla.redhat.com/show_bug.cgi?id=1276868