sssd to override user's authentication types #8315
Description
We would like to use ansible for automation. We are required to use our own accounts because of accountability. Technical accounts are out of the question. We use sssd with IPA and all users in IPA have OTP configured. IPA allows for Password and Password+OTP auth types. The hosts ansible will run on do not require OTP - hosts in IPA do not have any authenticator indicators set.
The assumption is that ansible-playbook will execute on a host inside the environment. User already has a kerberos ticket. Login to other machines via ssh is allowed with gssapi. No credentials are needed in ansible up to this point. It simply works when tasks execute on our account. Some tasks require root account. ansible's "become" is used to gain rights. The problem is that sssd generates MFA prompt for OTP. This is a two line prompt which breaks ansible. The interactive session looks like this:
[user@host ~]$ sudo echo works
First Factor:
Second Factor (optional):
works
Password is provided on first line and nothing on second line. ansible supports passwords prompt but only in one line. It adds -p and -S arguments and looks like this:
[user@host ~]$ sudo -S -p ask: echo works
ask:
ask:
works
When it spots second prompt it errors out assuming the password is wrong. We do not want to disable sudo password prompting policy for security reasons - the NOPASSWD: in rules.
Can we reconfigure sssd on these hosts to force only password prompting ?
I have looked into source code of ansible's ssh connection and pam_sss if anything is possible. I could not find a solution. I see undocumented use_2fa flag in pam_sss but it with works exactly the opposite. It forces two line prompt. A do_not_use_2fa or 2fa_skip flag would solve this issue. Maybe it is possible to override the IPA response in sss daemon itself ?