Sometime around Centos 7.5, pam auth was changed to skip pam_unix except for local accounts. The goal was to allow pam_sss to give multiple prompts for multiple factors.
This is nice in principle, but we’re having to back out. I thought sss maintainers and other might want to know why.
We use FreeOTP for all systems staff and some users. Two prompts work fine for sshd and other things where Redhat is responsible for maintenance. But it fails for everything else. Examples: X2Go, Xrdp, Jupyterhub, Zeppelin, anything using LDAP authentication. Indeed pretty much every web application or commercial applications that need to authenticate.
It appears that at this point, at least in our environment, it’s not practical to use any authentication that requires multiple prompts.
On Mon, Mar 18, 2019 at 04:40:48PM +0000, Charles Hedrick wrote:
Sometime around Centos 7.5, pam auth was changed to skip pam_unix except for local accounts. The goal was to allow pam_sss to give multiple prompts for multiple factors.
This is nice in principle, but we’re having to back out. I thought sss maintainers and other might want to know why.
We use FreeOTP for all systems staff and some users. Two prompts work fine for sshd and other things where Redhat is responsible for maintenance. But it fails for everything else. Examples: X2Go, Xrdp, Jupyterhub, Zeppelin, anything using LDAP authentication. Indeed pretty much every web application or commercial applications that need to authenticate.
It appears that at this point, at least in our environment, it’s not practical to use any authentication that requires multiple prompts.
Hi,
jfyi, I'm currently working on making the prompting more configurable/flexible. You can find my WIP design page at https://pagure.io/fork/sbose/SSSD/docs/blob/18821451b62f0f3dcc0f5822e5a38736...
Comments and suggestions are welcome.
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
that looks good, mostly.
In my case it looks like I’m going to have to force a single prompt for all of ssh. At that point I might as well do it for everything, to minimize user confusion. So I won’t use all that flexibility.
Why do I have to force a single password for ssh? X2Go uses ssh. It can’t support multiple prompts. But there’s no obvious way to tell when ssh is being used by X2Go. sshd call pam_authenticate with a minimum of environment variables, none of which have information that would help.
You might consider allowing a configurable delimiter character when the two factors are combined. There are situations where this won’t work. But in most cases the one-time part is going to use a limited character set, so looking for the last occurrence of the delimiter should work. You should know when two factors are in use because of the preauthentication type. For the offline case you’d want the user’s cache entry to include a bit saying whether 2FA was used. That way you know whether to look for the delimiter.
On Mar 18, 2019, at 1:06 PM, Sumit Bose sbose@redhat.com wrote:
On Mon, Mar 18, 2019 at 04:40:48PM +0000, Charles Hedrick wrote:
Sometime around Centos 7.5, pam auth was changed to skip pam_unix except for local accounts. The goal was to allow pam_sss to give multiple prompts for multiple factors.
This is nice in principle, but we’re having to back out. I thought sss maintainers and other might want to know why.
We use FreeOTP for all systems staff and some users. Two prompts work fine for sshd and other things where Redhat is responsible for maintenance. But it fails for everything else. Examples: X2Go, Xrdp, Jupyterhub, Zeppelin, anything using LDAP authentication. Indeed pretty much every web application or commercial applications that need to authenticate.
It appears that at this point, at least in our environment, it’s not practical to use any authentication that requires multiple prompts.
Hi,
jfyi, I'm currently working on making the prompting more configurable/flexible. You can find my WIP design page at https://pagure.io/fork/sbose/SSSD/docs/blob/18821451b62f0f3dcc0f5822e5a38736...
Comments and suggestions are welcome.
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org
-
Charles Hedrick -
Sumit Bose