Open chris-tepe-kr opened 3 months ago
alandekok
commented
3 months ago This configuration works on Cent 6,7 & 8, SLES 11, 12 and 15 SP4. With SLES 15SP5 my lecture file no longer displays.
Unfortunately I don't run SUSE and can't check this.
If it works everywhere else, then the problem is likely changes in the SUSE PAM system. There's nothing in the pam_radius_auth module about sudo, or displaying files.
chris-tepe-kr
commented
3 months ago Here is the package changes from SLES15 SP4 to SP5 SLE 15 SP5 Package Changes
chris-tepe-kr
commented
3 months ago Looking thru the SUDO change logs. in version 1.9.10 "The sudo lecture is now displayed immediately before the password prompt. As a result, sudo will no longer display the lecture unless the user needs to enter a password. Authentication methods that don't interact with the user via a terminal do not trigger the lecture."
So why would the prompt option not display?
pam_radius_auth: _pam_parse: argv[0] = 'prompt=2FA'
alandekok
commented
3 months ago As I said, this is an issue with the underlying PAM / OS. The pam_radius_auth code is the same across all platforms. if the behavior is different on one platform, then the issue is on that platform.
And also, I don't run SLES, so I have no way of debugging this. I'm not even sure how to start debugging it, as (again) the issue is in the underlying PAM / sudo / OS somewhere.
I don't see how I can make any changes to the pam_radius_auth module which will fix an issue with the underlying OS.
chris-tepe-kr
commented
3 months ago So the "prompt" option for pam_radius_auth.so module cannot be used to display a message such as "Waiting on 2FA" to the user unless they first prompted for their password when using this module with sudo authentication. I was using 2 factor as an authentication mechanism in lue of password when requesting elevated privileges via sudo access.
My lecture file ("Waiting on 2FA......") from sudoers configuration is not being displayed.
/etc/pam.d/sudo
%PAM-1.0
auth required pam_radius_auth.so skip_passwd account include common-account password include common-password session optional pam_keyinit.so revoke session include common-session
session optional pam_xauth.so
This configuration works on Cent 6,7 & 8, SLES 11, 12 and 15 SP4. With SLES 15SP5 my lecture file no longer displays.
If I remove the skip_passwd option the lecture file does display but as expected I also get prompted for the password before the 2FA is triggered.
I've also tried using the prompt= and force_prompt options as well in conjunction with the skip_passwd but I still do not get the text from my lecture file nor the text passed in the prompt option. Removing the skip_passwd cause both lecture file and prompt option to display.
I ran with debug option
pam_unix(sudo:session): session opened for user root by XXXXXX(uid=XXXXXXXX) pam_unix(sudo:session): session closed for user root pam_radius_auth: 2.0.1 DEVELOPER BUILD - (git #d802da75), built on May 1 2024 at 07:28:56 pam_radius_auth: _pam_parse: argv[0] = 'prompt=2FA' pam_radius_auth: _pam_parse: argv[1] = 'force_prompt' pam_radius_auth: _pam_parse: argv[2] = 'conf=/etc/raddb/server' pam_radius_auth: _pam_parse: argv[3] = 'skip_passwd' pam_radius_auth: _pam_parse: argv[4] = 'debug' pam_radius_auth: DEBUG: conf='/etc/raddb/server' use_first_pass=no try_first_pass=no skip_passwd=yes retry=0 localifdown=no client_id='' ruser=no prompt='2FA: ' force_prompt=yes prompt_attribute=no max_challenge=0 privilege_level=no pam_radius_auth: Got user name: 'XXXXXXX' pam_radius_auth: Sending RADIUS request code 1 (Access-Request) pam_radius_auth: DEBUG: get_ipaddr(XXXXXXX) returned 0. pam_radius_auth: Got RADIUS response code 2 (Access-Accept) pam_radius_auth: authentication succeeded