Ansible sudo with multifactor authentication

Latest response


We use multifactor authenticaton provided by IPA. So for every login/sudo promt we have this kind of prompt (also on machines that doesn't require the second factor):

First Factor:
Second Factor (optional):

I would like to run the following Ansible playbook on several computers:

- hosts: all
    - secret
    - name: Do something as sudo
      command: whoami
      become_user: root

But it fails to sudo. Even on machines where the second factor is really optional, not needed.

Can I somehow use Ansible sudo with MFA authentication, where the server doesn't require the second factor?




From the ansible sudo plugin sources , ansible changes the prompt to [sudo via ansible, key=%s] password: to provide the password.

This prompt logic is done by sudo, which then provide the supplied password to the PAM stack. From what I understand, it's your pam stack that prompt for these 2 lines

As sudo already provides a password, depending on your 2FA plugin, you may try to add some option like "try_first_pass" so it'll try to use the password if provided., and retry asking again for the 2nd factor if the first one is not successful.

Can you post your relevant /etc/pam.d/ files ?

Not some PAM magic but pam_sss prompts for these two lines.

This is my /etc/pam.d/sudo

auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional revoke
session    required
session    include      system-auth

and this is my system-auth

auth        required
auth        required delay=2000000
auth        required preauth silent audit deny=5 unlock_time=900
auth        [default=1 ignore=ignore success=ok] uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]
auth        sufficient try_first_pass
auth        requisite uid >= 1000 quiet_success
auth        sufficient forward_pass
auth        required authfail audit deny=5 unlock_time=900
auth        required

account     required
account     required
account     sufficient
account     sufficient uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass local_users_only retry=3 authtok_type=
password    sufficient sha512 shadow try_first_pass use_authtok
password    sufficient use_authtok
password    required

session     optional revoke
session     required
-session     optional
session     optional umask=0077
session     [success=1 default=ignore] service in crond quiet use_uid
session     required
session     optional

As a test, can you try to add the following line before the auth sufficient

auth        sufficient use_first_pass

that way, you should have this:

auth        requisite uid >= 1000 quiet_success
auth        sufficient use_first_pass
auth        sufficient forward_pass 

The idea is to try to test the provided password on its own, then continue with the standard process. The bad thing about this: it'll try to authenticate the user first, and that may lead to account lockout due to too many failures. That's why it's only to test. Once you find a working way with this, you can try to do a copy of system-auth only for sudo and add more specific tests, like with pam_if

Not working.

On another path I started to experiment with sssd.conf-s password prompt settings, but without success...

Hi Peter,

i am trying to setup MFA, by setting up redhat IPA servers. which is AD integrated. By the looks, it appears you have achieved it.

may i know what MFA tool are you using ? and how to setup the IPA for the same.

I use the built in MFA in IPA with Google Authenticator.