[sudo-users] Strange behavior on macOS 12.0.1 (21A559)
Todd C. Miller
Todd.Miller at sudo.ws
Fri Nov 12 07:41:36 MST 2021
On Fri, 12 Nov 2021 10:21:56 +0100, Benjamin Burke via sudo-users wrote:
> I have two intel macbooks running with the latest version of macOS
> 12.0.1 (21A559). One of them has this problem and the other does
> not. The problem is that sudo doesn't prompt for a password but it
> acts like it has -- it acts like it has received several invalid
> password attempts. This happens immediately.
>
> % sudo date
> Sorry, try again.
> Sorry, try again.
> sudo: 3 incorrect password attempts
>
> % sudo -A date
> Sorry, try again.
> Sorry, try again.
> sudo: 3 incorrect password attempts
This is almost certainly a PAM problem of some sort.
> This is interesting because on the computer with working sudo the
> above results in the error:
> "sudo: no askpass program specified, try setting SUDO_ASKPASS"
That indicates that on the system with the non-working sudo, the
function that reads the password is never called. Again, this
points to a PAM problem.
Is the PAM configuration the same on both systems?
Try comparing the /etc/pam.d/sudo file on both.
> I do have to admit that there are things on both these computers
> which could in theory complicate this issue. I use yubikeys on both,
> with opensc for piv-based ssh. I have also paired the yubikeys to
> macos so I can typically authenticate with the yubikey and a macos
> pin prompt. But again, both computers are the same in this respect
> and one has no issues with sudo.
Could the smartcard settings be configured differently on the two
systems? I'm assuming that yubikeys are configured on macOS as
smartcards.
- todd
More information about the sudo-users
mailing list