[sudo-workers] PAM Support in Sudo

blfarrell at ra.rockwell.com blfarrell at ra.rockwell.com
Fri Jun 25 09:30:22 EDT 2004


In upgrading to sudo-1.6.7p5 and configuring it to use PAM support (we use 
a PAM module to implement tracking of failed attempts during password 
authentication).  As expected I found that the pam support in sudo does 
the authentication properly, however it does not perform the required 
account management to clear the failed authentication counter upon 
successful authentication.  While fixing this, I also realized that it 
would authenticate a user that had an expired password (which could be the 
case if the user has been logged in for a period of time).  To solve the 
problem I added the pam code to force the password reset.  I also did this 
same code change for sudo-1.6.8rc1.

I think this make sense to put back into the distribution so I am sending 
it to this list.

Please let me know if you have any questions or I should be submitting the 
code through another mechanism.

On a side note when compiling 1.6.8rc1 under Solaris with Sun's compiler I 
needed to set 'CXXCPP=/usr/ccs/lib/cpp' as the configure script couldn't 
figure it out.

Brian Farrell

More information about the sudo-workers mailing list