-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add force second factor #6533
Add force second factor #6533
Conversation
Hi @huckabeec, sorry this PR got somehow lost. Could you please rebase on top of latest 'master' branch? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you enable it only for ssh
? Wouldn't it be useful for other services?
On top of that, do you mind squashing all the changes in one commit?
src/man/pam_sss.8.xml
Outdated
all in the first factor, set this option. A NULL or | ||
empty second factor will cause login to fail. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix the indentation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now there's a different indentation problem. I think it's because you are mixing tabs and spaces.
Hi, I wonder if it wouldn't be easier to have this as new prompting configuration option for bye, |
ssh was the only service called out in the original pam code where it made an exception for if i saw the first factor with data but the second factor null. I haven't experienced any other services that would take advantage of this.
I can try - my git fu is not strong |
The prompting capability doesn't address the core issue - the PAM module allows an ssh login to have only one factor specified no matter what the prompting setup is. It has code that cals out that specific use case, so the patch addresses that specific case where we don't want that behavior. |
https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History may help you |
Fix typo Fix parenthesis Fix indentation
6b689db
to
4d4a23c
Compare
That was indeed very helpful - thank you! |
Hi, yes, the actual check will happen in bye, |
My initial goal with creating this patch was to limit the changes to just the pam code so it would be more maintainable for us if the changes were never accepted upstream. If someone else wants to create a larger patch set that implements the same effect by different means I obviously have no objections, but that might be outside of my abilities. |
Hi, I have created a proof-of-concept patch with my suggestion to handle this with a sssd.conf prompting option at sumit-bose@d2b0d53 . I wonder if you can check if this works for you as well. Thanks. bye, |
I’ll try this as soon as possible. |
Thanks |
@huckabeec were you able to test Sumit's proposal? |
Please re-open in case of any update. |
In our use case, we have 2FA configured using SSSD with Kerberos/FAST and OTP configured on the KDCs. A secondary principal is created for each user that holds their OTP credentials.
Also, in our configuration, ssh prompts for both the First and Second factor.
What we found was that someone configured for OTP could bypass the 2FA requirement for ssh if they entered their primary principal password as the first factor due to how the pam_sss code allows an empty second factor. In a perfect world the primary principal would be scrambled/removed when 2FA is setup but we are in a transition state.
This pull request adds a 'force_second_factor' option that if set requires the second factor to be provided if and only if the PAM service being used is sshd. A NULL or missing second factor results in a return of PAM_CRED_INSUFFICIENT.
Hopefully this is useful to someone else as well.