minor weirdness with sudo and pam_ldap

Justin Hahn jeh at profitlogic.com
Tue Nov 20 10:59:15 EST 2001

[This is being cross-posted to both pamldap at padl.com and
sudo-workers at courtesan.com]

I'm seeing a very minor weirdness with sudo when using pam_ldap.
Specifically, I get one crack at the password, and if I get it wrong sudo
complains with:

sudo: pam_authenticate: Authentication service cannot retrieve
authentication info.

My PAM stack for sudo looks like this:

auth	sufficient	pam_ldap.so 
auth	required	pam_unix.so try_first_password 

I should point out that this is more of an annoyance as it means:
1) If I get the right password everything is just fine.
2) If I get it wrong I don't get a second chance at entering my password.
(and 	I tend to mistype a bit...)
3) If I get the passphrase wrong, sudo doesn't report this, as it's erroring

I believe the problem is that pam_ldap returns PAM_AUTHINFO_UNAVAIL in the
case that authentication fails, but sudo only looks for PAM_AUTH_ERR or
PAM_MAX_TRIES. I'm not sure whose bug this is, but I can produce a trivial
patch for sudo that fixes this. (and there may be an argument for and
against doing it in sudo...) I should point out that the fix for sudo does
work fine, but I'm not sure whether it's sudo or pam_ldap's issue.

Justin Hahn              ProfitLogic
jhahn at profitlogic.com    11 Cambridge Center
Systems Administrator    Cambridge, MA 02142
o: 617-218-1986          www.profitlogic.com
m: 617-501-2743
f: 617-218-1901

More information about the sudo-workers mailing list