Open chris-tepe-kr opened 6 months ago
This configuration works on Cent 6,7 & 8, SLES 11, 12 and 15 SP4. With SLES 15SP5 my lecture file no longer displays.
Unfortunately I don't run SUSE and can't check this.
If it works everywhere else, then the problem is likely changes in the SUSE PAM system. There's nothing in the pam_radius_auth module about sudo, or displaying files.
Here is the package changes from SLES15 SP4 to SP5 SLE 15 SP5 Package Changes
Looking thru the SUDO change logs. in version 1.9.10 "The sudo lecture is now displayed immediately before the password prompt. As a result, sudo will no longer display the lecture unless the user needs to enter a password. Authentication methods that don't interact with the user via a terminal do not trigger the lecture."
So why would the prompt option not display?
pam_radius_auth: _pam_parse: argv[0] = 'prompt=2FA'
As I said, this is an issue with the underlying PAM / OS. The pam_radius_auth code is the same across all platforms. if the behavior is different on one platform, then the issue is on that platform.
And also, I don't run SLES, so I have no way of debugging this. I'm not even sure how to start debugging it, as (again) the issue is in the underlying PAM / sudo / OS somewhere.
I don't see how I can make any changes to the pam_radius_auth module which will fix an issue with the underlying OS.
So the "prompt" option for pam_radius_auth.so module cannot be used to display a message such as "Waiting on 2FA" to the user unless they first prompted for their password when using this module with sudo authentication. I was using 2 factor as an authentication mechanism in lue of password when requesting elevated privileges via sudo access.
My lecture file ("Waiting on 2FA......") from sudoers configuration is not being displayed.
/etc/pam.d/sudo
%PAM-1.0
auth required pam_radius_auth.so skip_passwd account include common-account password include common-password session optional pam_keyinit.so revoke session include common-session
session optional pam_xauth.so
This configuration works on Cent 6,7 & 8, SLES 11, 12 and 15 SP4. With SLES 15SP5 my lecture file no longer displays.
If I remove the skip_passwd option the lecture file does display but as expected I also get prompted for the password before the 2FA is triggered.
I've also tried using the prompt= and force_prompt options as well in conjunction with the skip_passwd but I still do not get the text from my lecture file nor the text passed in the prompt option. Removing the skip_passwd cause both lecture file and prompt option to display.
I ran with debug option
pam_unix(sudo:session): session opened for user root by XXXXXX(uid=XXXXXXXX) pam_unix(sudo:session): session closed for user root pam_radius_auth: 2.0.1 DEVELOPER BUILD - (git #d802da75), built on May 1 2024 at 07:28:56 pam_radius_auth: _pam_parse: argv[0] = 'prompt=2FA' pam_radius_auth: _pam_parse: argv[1] = 'force_prompt' pam_radius_auth: _pam_parse: argv[2] = 'conf=/etc/raddb/server' pam_radius_auth: _pam_parse: argv[3] = 'skip_passwd' pam_radius_auth: _pam_parse: argv[4] = 'debug' pam_radius_auth: DEBUG: conf='/etc/raddb/server' use_first_pass=no try_first_pass=no skip_passwd=yes retry=0 localifdown=no client_id='' ruser=no prompt='2FA: ' force_prompt=yes prompt_attribute=no max_challenge=0 privilege_level=no pam_radius_auth: Got user name: 'XXXXXXX' pam_radius_auth: Sending RADIUS request code 1 (Access-Request) pam_radius_auth: DEBUG: get_ipaddr(XXXXXXX) returned 0. pam_radius_auth: Got RADIUS response code 2 (Access-Accept) pam_radius_auth: authentication succeeded