Ansible sudo with multifactor authentication

Latest response

Hi,

We use multifactor authenticaton provided by IPA. So for every login/sudo promt we have this kind of prompt (also on machines that doesn't require the second factor):

First Factor:
Second Factor (optional):

I would like to run the following Ansible playbook on several computers:

- hosts: all
  vars_files:
    - secret
  tasks:
    - name: Do something as sudo
      command: whoami
      become_user: root

But it fails to sudo. Even on machines where the second factor is really optional, not needed.

Can I somehow use Ansible sudo with MFA authentication, where the server doesn't require the second factor?

Regards,
Stone

Responses

Hello,

From the ansible sudo plugin sources , ansible changes the prompt to [sudo via ansible, key=%s] password: to provide the password.

This prompt logic is done by sudo, which then provide the supplied password to the PAM stack. From what I understand, it's your pam stack that prompt for these 2 lines

As sudo already provides a password, depending on your 2FA plugin, you may try to add some option like "try_first_pass" so it'll try to use the password if provided., and retry asking again for the 2nd factor if the first one is not successful.

Can you post your relevant /etc/pam.d/ files ?

Not some PAM magic but pam_sss prompts for these two lines.

This is my /etc/pam.d/sudo

auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth

and this is my system-auth

auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth silent audit deny=5 unlock_time=900
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_faillock.so authfail audit deny=5 unlock_time=900
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

As a test, can you try to add the following line before the auth sufficient pam_sss.so

auth        sufficient    pam_sss.so use_first_pass

that way, you should have this:

auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        sufficient    pam_sss.so forward_pass 

The idea is to try to test the provided password on its own, then continue with the standard process. The bad thing about this: it'll try to authenticate the user first, and that may lead to account lockout due to too many failures. That's why it's only to test. Once you find a working way with this, you can try to do a copy of system-auth only for sudo and add more specific tests, like with pam_if

Not working.

On another path I started to experiment with sssd.conf-s password prompt settings, but without success...

Hi Peter,

i am trying to setup MFA, by setting up redhat IPA servers. which is AD integrated. By the looks, it appears you have achieved it.

may i know what MFA tool are you using ? and how to setup the IPA for the same.

I use the built in MFA in IPA with Google Authenticator. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/otp