Hello everyone, I've already done searches without success, I need someone to point me in the direction of resolving a strange behavior I'm experiencing on servers with the RedHat/Centos operating system. I have installed FreeIPA 4.10.1 on Oracle Linux 9 and all users by default have Radius authentication via a Cisco server, users can access via SSH to 100 Servers configured, we have OS of all types (Debian, RedHat, Centos, Ubuntu). The behavior I get is the following: Debian based distro: SSH Login and SUDO work perfectly using the Radius credentials RedHat based distro: SSH Login prompt ask for 2FA, first factor & second factor (optional) and i can login by entering the Radius credentials and using the same password 2 times, SUDO ask for 2FA and authentication fails when entering the same password 2 times. I don't understand if the problem is on the FreeIPA client or server or why there is a difference in behavior between Debian and RedHat systems. Can anyone give me directions to understand what's happening?
Note: I have never set up 2FA authentication on the FreeIPA server, the users are correctly configured and the "ipa user-show" command confirms "User authentication types: radius", if i change user configuration with the password, everything works fine.
Am Mon, Sep 18, 2023 at 03:55:32PM -0000 schrieb Sirio Sannipoli via FreeIPA-users:
Hello everyone, I've already done searches without success, I need someone to point me in the direction of resolving a strange behavior I'm experiencing on servers with the RedHat/Centos operating system. I have installed FreeIPA 4.10.1 on Oracle Linux 9 and all users by default have Radius authentication via a Cisco server, users can access via SSH to 100 Servers configured, we have OS of all types (Debian, RedHat, Centos, Ubuntu). The behavior I get is the following: Debian based distro: SSH Login and SUDO work perfectly using the Radius credentials RedHat based distro: SSH Login prompt ask for 2FA, first factor & second factor (optional) and i can login by entering the Radius credentials and using the same password 2 times, SUDO ask for 2FA and authentication fails when entering the same password 2 times. I don't understand if the problem is on the FreeIPA client or server or why there is a difference in behavior between Debian and RedHat systems. Can anyone give me directions to understand what's happening?
Hi,
as long as the Radius server only expects a single string for authentication please just enter the password at the first prompt and just press enter at the second (optional) prompt. Then authentication should work in all cases.
ssh has a special behavior when it come to multiple prompts where some of them are optional. As a result there is some special handling for ssh if the inputs in multiple prompts are the same. That's why entering the password twice with ssh works, but just entering it at the first prompt is the expected way how to use it and should work as well.
HTH
bye, Sumit
Note: I have never set up 2FA authentication on the FreeIPA server, the users are correctly configured and the "ipa user-show" command confirms "User authentication types: radius", if i change user configuration with the password, everything works fine. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thanks so much Sumit, your suggestion works perfectly. I'm still curious about the difference in behavior between distributions, but it's not that important. Greetings
On 21/09/2023 08:55, Sirio Sannipoli via FreeIPA-users wrote:
Thanks so much Sumit, your suggestion works perfectly. I'm still curious about the difference in behavior between distributions, but it's not that important. Greetings
Probably on RHEL you have pam_sssd in your PAM stack, which is able to present separate prompts for both factors; whereas on Debian you have pam_unix which can only present a "Password:" prompt.
This happens because pam_unix is registered in Debian's pam-auth-update mechanism with priority 256, whereas pam_sss is only registred with priority 128. Thus, the 'common-auth' PAM stack (which is included by sshd, login, gdm, etc) has pam_auth.so first, which prompts for the password; then pam_sss.so is called, with the 'use_first_pass' option, so it uses the password stashed by pam_unix.so instead of presenting its own prompts.
I think pam_sss's priority should be bumped but I've not gotten around to chasing this request:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001644
Sam Morris via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
On 21/09/2023 08:55, Sirio Sannipoli via FreeIPA-users wrote:
Thanks so much Sumit, your suggestion works perfectly. I'm still curious about the difference in behavior between distributions, but it's not that important. Greetings
Probably on RHEL you have pam_sssd in your PAM stack, which is able to present separate prompts for both factors; whereas on Debian you have pam_unix which can only present a "Password:" prompt.
This happens because pam_unix is registered in Debian's pam-auth-update mechanism with priority 256, whereas pam_sss is only registred with priority 128. Thus, the 'common-auth' PAM stack (which is included by sshd, login, gdm, etc) has pam_auth.so first, which prompts for the password; then pam_sss.so is called, with the 'use_first_pass' option, so it uses the password stashed by pam_unix.so instead of presenting its own prompts.
I think pam_sss's priority should be bumped but I've not gotten around to chasing this request:
Thanks for opening the bug - I think that's the right thing to do. As a workaround I prepare a file /usr/share/pam-configs/unix+sss with the config I wanted and enable that instead of "unix" in pam-auth-update.
Jochen
freeipa-users@lists.fedorahosted.org
-
Jochen Kellner -
Sam Morris -
Sirio Sannipoli -
Sumit Bose