Displaying sudo lecture text/prompt not working with SLES 15SP5 and skip_passwd option

[chris-tepe-kr]

My lecture file ("Waiting on 2FA......") from sudoers configuration is not being displayed.

/etc/pam.d/sudo
#%PAM-1.0
auth required pam_radius_auth.so skip_passwd
account include common-account
password include common-password
session optional pam_keyinit.so revoke
session include common-session

session optional pam_xauth.so

This configuration works on Cent 6,7 & 8, SLES 11, 12 and 15 SP4. With SLES 15SP5 my lecture file no longer displays.
If I remove the skip_passwd option the lecture file does display but as expected I also get prompted for the password before the 2FA is triggered.

I've also tried using the prompt= and force_prompt options as well in conjunction with the skip_passwd but I still do not get the text from my lecture file nor the text passed in the prompt option. Removing the skip_passwd cause both lecture file and prompt option to display.

I ran with debug option

pam_unix(sudo:session): session opened for user root by XXXXXX(uid=XXXXXXXX)
pam_unix(sudo:session): session closed for user root
pam_radius_auth: 2.0.1 DEVELOPER BUILD - (git #d802da75), built on May 1 2024 at 07:28:56
pam_radius_auth: _pam_parse: argv[0] = 'prompt=2FA'
pam_radius_auth: _pam_parse: argv[1] = 'force_prompt'
pam_radius_auth: _pam_parse: argv[2] = 'conf=/etc/raddb/server'
pam_radius_auth: _pam_parse: argv[3] = 'skip_passwd'
pam_radius_auth: _pam_parse: argv[4] = 'debug'
pam_radius_auth: DEBUG: conf='/etc/raddb/server' use_first_pass=no try_first_pass=no skip_passwd=yes retry=0 localifdown=no client_id='' ruser=no prompt='2FA: ' force_prompt=yes prompt_attribute=no max_challenge=0 privilege_level=no
pam_radius_auth: Got user name: 'XXXXXXX'
pam_radius_auth: Sending RADIUS request code 1 (Access-Request)
pam_radius_auth: DEBUG: get_ipaddr(XXXXXXX) returned 0.
pam_radius_auth: Got RADIUS response code 2 (Access-Accept)
pam_radius_auth: authentication succeeded

[alandekok]

This configuration works on Cent 6,7 & 8, SLES 11, 12 and 15 SP4. With SLES 15SP5 my lecture file no longer displays.

Unfortunately I don't run SUSE and can't check this.

If it works everywhere else, then the problem is likely changes in the SUSE PAM system. There's nothing in the pam_radius_auth module about sudo, or displaying files.

[chris-tepe-kr]

Here is the package changes from SLES15 SP4 to SP5
SLE 15 SP5 Package Changes

• pam-modules: 12.1-3.17 => 12.1-150000.5.3.2
• pam: 0.8.16-1.1 => 0.8.16-150300.3.3.1
• sudo: 1.9.9-150400.2.5 => 1.9.12p1-150500.5.1

[chris-tepe-kr]

Looking thru the SUDO change logs. in version 1.9.10
"The sudo lecture is now displayed immediately before the password prompt. As a result, sudo will no longer display the lecture unless the user needs to enter a password. Authentication methods that don't interact with the user via a terminal do not trigger the lecture."

Sudo 1.9.10

So why would the prompt option not display?

pam_radius_auth: _pam_parse: argv[0] = 'prompt=2FA'

[alandekok]

As I said, this is an issue with the underlying PAM / OS. The pam_radius_auth code is the same across all platforms. if the behavior is different on one platform, then the issue is on that platform.

And also, I don't run SLES, so I have no way of debugging this. I'm not even sure how to start debugging it, as (again) the issue is in the underlying PAM / sudo / OS somewhere.

I don't see how I can make any changes to the pam_radius_auth module which will fix an issue with the underlying OS.

[chris-tepe-kr]

So the "prompt" option for pam_radius_auth.so module cannot be used to display a message such as "Waiting on 2FA" to the user unless they first prompted for their password when using this module with sudo authentication. I was using 2 factor as an authentication mechanism in lue of password when requesting elevated privileges via sudo access.