If I enable multi factor prompt for SSSD offline authentication, I see like below. First Factor: Second Factor:
but i have a question about the following case. When I put input like below, it also authenticates user. First Factor: pwd+otp Second Factor: pwd+otp
So, I can tell if it's working normally?
Am Tue, Nov 12, 2024 at 04:04:43AM -0000 schrieb seojeong kim via sssd-users:
If I enable multi factor prompt for SSSD offline authentication, I see like below. First Factor: Second Factor:
but i have a question about the following case. When I put input like below, it also authenticates user. First Factor: pwd+otp Second Factor: pwd+otp
Hi,
do you see this, by chance, with ssh? Do you see the same behavior if you e.g. use sudo on the command line?
bye, Sumit
So, I can tell if it's working normally?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Am Tue, Nov 12, 2024 at 10:46:04AM -0000 schrieb seojeong kim via sssd-users:
I see this with ssh login.
Hi,
ok, then this behavior you see is expected. This is a special handling for ssh since we do not know if ssh was used with 'PasswordAuthentication' or 'KbdInteractiveAuthentication' (formerly known as 'ChallengeResponseAuthentication'). In the latter the fully PAM prompting (First/Second factor) is shown to the user. In the former the ssh client always only asks for 'Password' and on the server side the user input is just send to all PAM prompts, i.e. first and second factor prompt get the same input. If pam_sss detects this case, i.e. PAM service is 'sshd' and first and second factor are the same, it is assumed that the user entered first and second factor in a single string.
HTH
bye, Sumit
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
if it's an expected behavior then, let's say user ssh logged with pwd + otp for FirstFactor and Second Factor. user put single string twice.
and then after client goes to SSSD offline mode, user can ssh login with password only ? When I have a test for this case, I can successfully log in with password only. is that also normal working?
Am Thu, Nov 21, 2024 at 09:39:44AM -0000 schrieb seojeong kim via sssd-users:
if it's an expected behavior then, let's say user ssh logged with pwd + otp for FirstFactor and Second Factor. user put single string twice.
and then after client goes to SSSD offline mode, user can ssh login with password only ? When I have a test for this case, I can successfully log in with password only. is that also normal working?
Hi,
if both factors are entered in the single string SSSD cannot determine what is the long term password (first factor) and as a result offline authentication with only the long term password will not work. We added the two step prompting to make sure SSSD can safely determine what the long term password is and then stored a hash of it in the cache for offline authentication.
bye, Sumit
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I made a test again after deleting SSSD cache.
#1 first login : I put pwd and otp seperately. First Factor : pwd Second Factor : otp
at the second login : I put it as single string. First Factor : pwd + otp Second Factor : pwd + otp
SSSD offiline password : with pwd only or pwd + any otp , I can successfully log in.
#2 Clear SSSD cache First Factor : pwd + otp Second Factor : pwd + otp
SSSD offline password : I can't login with valid pwd.
From this, I guess that SSSD cache is not refreshed after every successful login, is that right ? What is the difference between the test case #1 and #2 when SSSD save credential cache ?
Am Fri, Nov 22, 2024 at 02:10:13AM -0000 schrieb seojeong kim via sssd-users:
I made a test again after deleting SSSD cache.
#1 first login : I put pwd and otp seperately. First Factor : pwd Second Factor : otp
at the second login : I put it as single string. First Factor : pwd + otp Second Factor : pwd + otp
SSSD offiline password : with pwd only or pwd + any otp , I can successfully log in.
#2 Clear SSSD cache First Factor : pwd + otp Second Factor : pwd + otp
SSSD offline password : I can't login with valid pwd.
From this, I guess that SSSD cache is not refreshed after every successful login, is that right ? What is the difference between the test case #1 and #2 when SSSD save credential cache ?
Hi,
with 2FA SSSD only saves the hash of the long term password in the cache if first and second factor were given individually on the separate prompts. Additionally the length of the second factor is saved. This means the second attempt of #1 will not overwrite the cached data since the two factors where given in a single string and in #2 nothing will be saved at all for the same reason.
The offline login of #1 works either way because if the direct verification fails and SSSD detects that the password was save during a 2FA it takes the save length of the second factor, removes that many characters from the end of the input and checks again. For #2 nothing is saved and offline authentication will fail.
So as said before, for offline authentication to work it is crucial that both factors were entered separately once.
HTH
bye, Sumit
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org