bolt icon indicating copy to clipboard operation
bolt copied to clipboard
verified publisher icon puppetlabs

To support two-factor authentications

Open azmidotmy opened this issue 3 years ago • 1 comments

Our company has just applied a two-factor authentications on all our systems. We are using Duo Two Factor Authentication .

Everytime we login and escalating privileges using sudo it will prompt an options, either send notifications to our phones or inserting passcode.

I have tried to tinkered with Bolt configurations and read through the documentations but none could help me handling this kind authentications method. Is there any advise I can get to overcome this kind of situations?.

azmidotmy avatar Sep 12 '22 02:09 azmidotmy

There is a backup user where we can use normal login authentication without two-factor authentication but puppet bolt having an error with issue_code: "CONNECT_ERROR".

$ bolt command run 'uname -a' -t backup1 -u ada -p  --trace -v --log-level debug
Loaded project from '/Users/azmim/Code/agentinstall'
CLI arguments ["user", "password"] might be overridden by Inventory: /Users/azmim/Code/agentinstall/inventory.yaml [ID: cli_overrides]
Loading modules from /opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.3.0/bolt-modules:/Users/azmim/Code/agentinstall/modules:/Users/azmim/Code/agentinstall/.modules:/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.3.0/modules
Loaded inventory from /Users/azmim/Code/agentinstall/inventory.yaml
Started with 100 max thread(s)
Starting: command 'uname -a' on backup1
Running command 'uname -a' on ["backup1"]
Running command 'uname -a' on backup1
Started on backup1...
{"target":"backup1","action":"command","object":null,"status":"failure","value":{"_error":{"details":{},"kind":"puppetlabs.tasks/connect-error","msg":"Failed to connect to backup1: [email protected]: Permission denied (password).\r\n","issue_code":"CONNECT_ERROR"}}}
Failed on backup1:
  Failed to connect to backup1: [email protected]: Permission denied (password).
Finished: command 'uname -a' with 1 failure in 2.44 sec
Failed on 1 target: backup1
Ran on 1 target in 2.44 sec
$

azmidotmy avatar Sep 12 '22 04:09 azmidotmy

This issue has not had activity for 60 days and will be marked as stale. If this issue continues to have no activity for 7 days, it will be closed.

github-actions[bot] avatar Nov 12 '22 00:11 github-actions[bot]

This issue is stale and has been closed. If you believe this is in error, or would like the Bolt team to reconsider it, please reopen the issue.

github-actions[bot] avatar Nov 20 '22 00:11 github-actions[bot]

Is there anything I could help to let this request moving forward?. Thank you.

azmidotmy avatar Mar 23 '23 04:03 azmidotmy

This would be a feature request in the net-ssh library probably. Though in practice I would imagine this has a common workflow that I think should work with bolt (at least using native-ssh transport). I think you can use connection multiplexing so that on a particular bolt controller (the system you are using bolt on) you can ssh (and provide the 2 factor prompt answer) then all connections moving forward would share the authenticated connection. Maybe something like:

Host *
    ControlPath ~/.ssh/controlsocket/%C
    ControlMaster auto

donoghuc avatar Mar 23 '23 14:03 donoghuc