[sudo-workers] [patch] Properly handle Ctrl-C at PAM password prompt
Anders Kaseorg
anders at kaseorg.com
Thu Sep 28 18:05:54 EDT 2006
Currently if you hit Ctrl-C at the password prompt, sudo actually tries
to authenticate using the empty password, and gives a two-second delay
when this fails. This is very annoying when I just wanted to go back and
change one character of my command line, and it does not help to slow an
attacker because Ctrl-C could not be used to test a (nonempty) password
anyway.
tgetpass properly returns "" if the user actually typed the empty
password and NULL if the user hit ^C, but sudo_conv in auth/pam.c does
not distinguish between these return values. Here is a simple patch to
correct this by returning PAM_CONV_ERR on NULL, causing a quick abort
with an error.
<http://anders.kaseorg.com/pub/patches/sudo-1.7-ctrl-c-fix.patch>
(By the way, Sudo bugzilla <http://www.sudo.ws/bugs/> is down; it is
returning SQL errors on every attempt to query it.)
Anders
More information about the sudo-workers
mailing list