[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sudo-workers
Subject:    minor weirdness with sudo and pam_ldap
From:       Justin Hahn <jeh () profitlogic ! com>
Date:       2001-11-20 15:59:15
Message-ID: 419A3E73A18BD211A17000105A1C37E9C9D7B1 () mail ! grossprofit ! com
[Download RAW message or body]

[This is being cross-posted to both pamldap@padl.com and
sudo-workers@courtesan.com]

I'm seeing a very minor weirdness with sudo when using pam_ldap.
Specifically, I get one crack at the password, and if I get it wrong sudo
complains with:

sudo: pam_authenticate: Authentication service cannot retrieve
authentication info.

My PAM stack for sudo looks like this:

auth	sufficient	pam_ldap.so 
auth	required	pam_unix.so try_first_password 


I should point out that this is more of an annoyance as it means:
1) If I get the right password everything is just fine.
2) If I get it wrong I don't get a second chance at entering my password.
(and 	I tend to mistype a bit...)
3) If I get the passphrase wrong, sudo doesn't report this, as it's erroring
	out.


I believe the problem is that pam_ldap returns PAM_AUTHINFO_UNAVAIL in the
case that authentication fails, but sudo only looks for PAM_AUTH_ERR or
PAM_MAX_TRIES. I'm not sure whose bug this is, but I can produce a trivial
patch for sudo that fixes this. (and there may be an argument for and
against doing it in sudo...) I should point out that the fix for sudo does
work fine, but I'm not sure whether it's sudo or pam_ldap's issue.

----
Justin Hahn              ProfitLogic
jhahn@profitlogic.com    11 Cambridge Center
Systems Administrator    Cambridge, MA 02142
o: 617-218-1986          www.profitlogic.com
m: 617-501-2743
f: 617-218-1901
  

[prev in list] [next in list] [prev in thread] [next in thread]