[sudo-workers] [patch] Properly handle Ctrl-C at PAM password prompt

Anders Kaseorg anders at kaseorg.com
Thu Sep 28 18:05:54 EDT 2006

Currently if you hit Ctrl-C at the password prompt, sudo actually tries
to authenticate using the empty password, and gives a two-second delay
when this fails. This is very annoying when I just wanted to go back and
change one character of my command line, and it does not help to slow an
attacker because Ctrl-C could not be used to test a (nonempty) password

tgetpass properly returns "" if the user actually typed the empty
password and NULL if the user hit ^C, but sudo_conv in auth/pam.c does
not distinguish between these return values. Here is a simple patch to
correct this by returning PAM_CONV_ERR on NULL, causing a quick abort
with an error.


(By the way, Sudo bugzilla <http://www.sudo.ws/bugs/> is down; it is
returning SQL errors on every attempt to query it.)


More information about the sudo-workers mailing list