[sudo-users] Proposing feature request for cosideration : passfail_message

Martin "eto" Misuth et.code at ethome.sk
Tue Dec 5 20:56:38 MST 2017 

Hello,

First situational description:
 Although we offloaded some simpler stuff to doas, sudo is still going strong on
 many of our nodes. Mainly for tasks where I want to do some logging and more
 complex rule processing.

 For some time, I was using pam_ssh_agent_auth on personal and less important
 boxes, but recently I started using it for boxes where mutiple people work.

 I like this arrangment bit better than NOPASSWD directive, although it means
 forwarding agent to specifc nodes. It makes even "seemingly"
 NOPASSWD "level" comands authenticated, and it is completely
 tranparent to the user as long as agent is being forwarded. 

Now when real users started (not just me) using this setup, I am hitting this
problem, that is probably shared with other schemes where auth by "password"
loses it meaning (but sudo is still used for rule processing):
there is no "password"!

For sake of simplicity let's assume this ruleset:

  # we need to keep at least SSH_AUTH_SOCK so that pam_ssh_agent_auth
  # can find forwarded agent and ask it for pubkey
  Defaults env_keep += "SSH_AUTH_SOCK SSH_CLIENT SSH_CONNECTION SSH_TTY"

  # user uses their personal password on their local box to "unlock"
  # the key, so trying password muliple times makes sense
  # there should be only one auth attempt made (when contacting ssh-agent)
  # and that's it
  Defaults passwd_tries = 1

  # timestamp loses meaning as well, as each time sudoed command is ran,
  # pam_ssh_agent_auth will ask the user's local ssh-agent to auth
  # them instead - as such we don't need to use timestamps -
  # this increases "security" slightly
  Defaults timestamp_timeout = 0

  # **this is my pain point*** : this message gets displayed for 
  # wrong password entry (eg "paswd try" governed by passwd_tries),
  # but not for whole authentication session failure!
  Defaults badpass_message="Problem occured while connecting to your ssh-agent!"

Though badpass_message notifies user that password entry was invalid, there
is no way to instruct sudo to show different message on whole auth session
failure. 

With passwd_tries = 1 failed sudo attempt looks like this:
$ sudo -l            
: sudo: 1 incorrect password attempt

With passwd_tries = 2 failed sudo attempt looks like this:
$ sudo -l            
: Problem occured while connecting to your ssh-agent!
: sudo: 2 incorrect password attempts

As expected this is confusing my users doubly - "What ... password!?".
Especially when our machines use ssh-agent for auth, while on other 
machines, outside of our control, there is "passworded" sudo.

Would it be possible to add new sudoers option named "passfail_message"
(or any suitable name) that will allow sysadmin to change 
"%d incorrect password attempts" message to something else?

That way, adding this rule:

  Defaults passfail_message="Problem occured while connecting to your ssh-agent!"

Would make sudo session look like this:
$ sudo -l            
: Problem occured while connecting to your ssh-agent!

I understand this probably requires some substantial amount of work,
including adding support for ldap entry, so I am curious if there 
is even possibility for this to be implemented in upstream.

One thing is sure, with proliferation of various tokens and other
passwordless authetification schemes this will become more and more 
common.

Thanks for consideration

  eto

More information about the sudo-users mailing list