Conflation of login and sudo passwords problematic with 2FA #1491
Can't find open tickets about exactly this, probably because it's actually kind of a corner case.
"Normally", one's SSH login password and sudo password are the same value, which is why Fabric has always reused the one for the other by default. (See e.g. http://docs.fabfile.org/en/1.11/usage/execution.html#password-management)
If the subsequent session includes calls to
A problem appears when one enables two-factor auth - e.g. key + Duo Security or other TOTP or push based 2FA, implemented as SSH's
My initial instinct was that this represented a Paramiko problem. We could potentially streamline things there in some way, but it's not really Paramiko's fault - we gave Paramiko a "login password" so it's not unfair to expect that to be used for auto-submitting
Instead, the problem is simply that it's impossible to give Fabric distinct values for login and sudo passwords. Once that's possible, the above scenario is fixable by ensuring that the login password is
How to do this?
The text was updated successfully, but these errors were encountered:
One minor wrinkle, realized there's ambiguity about where user-entered sudo passwords get cached after this is implemented.
Given existing behavior is to cache in