minor weirdness with sudo and pam_ldap
jeh at profitlogic.com
Tue Nov 20 10:59:15 EST 2001
[This is being cross-posted to both pamldap at padl.com and
sudo-workers at courtesan.com]
I'm seeing a very minor weirdness with sudo when using pam_ldap.
Specifically, I get one crack at the password, and if I get it wrong sudo
sudo: pam_authenticate: Authentication service cannot retrieve
My PAM stack for sudo looks like this:
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_password
I should point out that this is more of an annoyance as it means:
1) If I get the right password everything is just fine.
2) If I get it wrong I don't get a second chance at entering my password.
(and I tend to mistype a bit...)
3) If I get the passphrase wrong, sudo doesn't report this, as it's erroring
I believe the problem is that pam_ldap returns PAM_AUTHINFO_UNAVAIL in the
case that authentication fails, but sudo only looks for PAM_AUTH_ERR or
PAM_MAX_TRIES. I'm not sure whose bug this is, but I can produce a trivial
patch for sudo that fixes this. (and there may be an argument for and
against doing it in sudo...) I should point out that the fix for sudo does
work fine, but I'm not sure whether it's sudo or pam_ldap's issue.
Justin Hahn ProfitLogic
jhahn at profitlogic.com 11 Cambridge Center
Systems Administrator Cambridge, MA 02142
o: 617-218-1986 www.profitlogic.com
More information about the sudo-workers