FreeRADIUS / pam_radius

This is the PAM to RADIUS authentication module. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests.
GNU General Public License v2.0
103 stars 90 forks source link

Displaying sudo lecture text/prompt not working with SLES 15SP5 and skip_passwd option #92

Open chris-tepe-kr opened 6 months ago

chris-tepe-kr commented 6 months ago

My lecture file ("Waiting on 2FA......") from sudoers configuration is not being displayed.

/etc/pam.d/sudo

%PAM-1.0

auth required pam_radius_auth.so skip_passwd account include common-account password include common-password session optional pam_keyinit.so revoke session include common-session

session optional pam_xauth.so

This configuration works on Cent 6,7 & 8, SLES 11, 12 and 15 SP4. With SLES 15SP5 my lecture file no longer displays.
If I remove the skip_passwd option the lecture file does display but as expected I also get prompted for the password before the 2FA is triggered.

I've also tried using the prompt= and force_prompt options as well in conjunction with the skip_passwd but I still do not get the text from my lecture file nor the text passed in the prompt option. Removing the skip_passwd cause both lecture file and prompt option to display.

I ran with debug option

pam_unix(sudo:session): session opened for user root by XXXXXX(uid=XXXXXXXX) pam_unix(sudo:session): session closed for user root pam_radius_auth: 2.0.1 DEVELOPER BUILD - (git #d802da75), built on May 1 2024 at 07:28:56 pam_radius_auth: _pam_parse: argv[0] = 'prompt=2FA' pam_radius_auth: _pam_parse: argv[1] = 'force_prompt' pam_radius_auth: _pam_parse: argv[2] = 'conf=/etc/raddb/server' pam_radius_auth: _pam_parse: argv[3] = 'skip_passwd' pam_radius_auth: _pam_parse: argv[4] = 'debug' pam_radius_auth: DEBUG: conf='/etc/raddb/server' use_first_pass=no try_first_pass=no skip_passwd=yes retry=0 localifdown=no client_id='' ruser=no prompt='2FA: ' force_prompt=yes prompt_attribute=no max_challenge=0 privilege_level=no pam_radius_auth: Got user name: 'XXXXXXX' pam_radius_auth: Sending RADIUS request code 1 (Access-Request) pam_radius_auth: DEBUG: get_ipaddr(XXXXXXX) returned 0. pam_radius_auth: Got RADIUS response code 2 (Access-Accept) pam_radius_auth: authentication succeeded

alandekok commented 6 months ago

This configuration works on Cent 6,7 & 8, SLES 11, 12 and 15 SP4. With SLES 15SP5 my lecture file no longer displays.

Unfortunately I don't run SUSE and can't check this.

If it works everywhere else, then the problem is likely changes in the SUSE PAM system. There's nothing in the pam_radius_auth module about sudo, or displaying files.

chris-tepe-kr commented 6 months ago

Here is the package changes from SLES15 SP4 to SP5 SLE 15 SP5 Package Changes

chris-tepe-kr commented 6 months ago

Looking thru the SUDO change logs. in version 1.9.10 "The sudo lecture is now displayed immediately before the password prompt. As a result, sudo will no longer display the lecture unless the user needs to enter a password. Authentication methods that don't interact with the user via a terminal do not trigger the lecture."

Sudo 1.9.10

So why would the prompt option not display?

pam_radius_auth: _pam_parse: argv[0] = 'prompt=2FA'

alandekok commented 6 months ago

As I said, this is an issue with the underlying PAM / OS. The pam_radius_auth code is the same across all platforms. if the behavior is different on one platform, then the issue is on that platform.

And also, I don't run SLES, so I have no way of debugging this. I'm not even sure how to start debugging it, as (again) the issue is in the underlying PAM / sudo / OS somewhere.

I don't see how I can make any changes to the pam_radius_auth module which will fix an issue with the underlying OS.

chris-tepe-kr commented 6 months ago

So the "prompt" option for pam_radius_auth.so module cannot be used to display a message such as "Waiting on 2FA" to the user unless they first prompted for their password when using this module with sudo authentication. I was using 2 factor as an authentication mechanism in lue of password when requesting elevated privileges via sudo access.