What is the state of multifactor become?

We need some discussion on how the connector and become plugins should interact. I have had some issues with ansible as we roll out multifactor authentication on our servers. For SSH it is fine as I can use pubkey but as we start using MFA on sudo as well there are issues. No problem though as I can simply just modify the ssh plugin to get past the second password prompt, actually I did this last year and have been running it successfully ever since.

Recently I got back around to this and decided to clean up the code a bit, add a test case, and make sure it is fully backwards compatible. I published this at GitHub - Gnonthgol/ansible at become_mfa and even submitted a pull request to make it more visible. I certainly have lots of problems but it is better then what is in the current release.

I would prefer some input on this though. My current implementation allows you to set become_pass to a string or a list of strings. If you provide a single string it works as before. But if you provide a list then it will submit each password in order as prompted. For service accounts this allows them to set the second password to an empty string as MFA is usually not enabled but might still be prompted for. When doing ad-hoc commands you can use a password manager lookup plugin to set the second password. If you are prompted for more then two passwords this would also be possible. There are also other PAM plugins that ask for “passwords” for things like auditing as well.

The problems I see with doing this is that some implementations of MFA does not allow using the same token twice. Those with time based tokens are sadly out of luck here. With a count based token you can run the lookup plugin for each host to generate unique tokens. But subsequent plays will still use the same token so you would need a workaround. I do think that if you use this to circumvent security policies made to prevent you from reusing the token then you are already doing something wrong and we should not make this easy for the user. People should use service accounts without MFA for running ansible in mass.

The other issue is that you can not set become_pass to a list using the --ask-become-pass argument in ansible. This makes it a bit harder to run ad-hoc commands unless you have set up a good inventory. I did not look into making changes to the command line arguments but I can come up with a few ways of doing this. For example --ask-become-pass=2 might ask you for two become passwords.

I am looking at inputs here. It is not easy to work in the connector plugins so I do feel like I am a bit over my head. I only did this to solve a problem for myself and thought that some of you might enjoy it as well. It would be fun to see someone else see this to completion. I might be of some assistance as I did spend some time looking at PAM and sudo to get this to work.

1 Like