Bug 799

Summary: Sudo 1.8.21 obscures pam_oath's prompt
Product: Sudo Reporter: Evangelos Foutras <evangelos>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.20   
Hardware: PC   
OS: Linux   

Description Evangelos Foutras 2017-09-05 07:10:12 MDT 
(This is a bug report I received downstream in Arch and was able to reproduce it. [1])

After upgrading to Sudo 1.8.21, the prompt from pam_oath gets replaced by sudo's password prompt. (See examples further below.)

I tracked it down to: https://www.sudo.ws/repos/sudo/rev/96651906de42 

In the following tests pam_oath is configured as described on [2].

====================================================
sudo 1.8.20 prompts w/ pam_oath 
-------------------------------
$ sudo true
One-time password (OATH) for `foutrelis': (entered one-time password)
[sudo] password for foutrelis: (entered user password)
$ (successful authentication)


sudo 1.8.21 prompts w/ pam_oath 
-------------------------------
$ sudo true
[sudo] password for foutrelis: (entered one-time password)
[sudo] password for foutrelis: (entered user password)
$ (successful authentication)
====================================================

[1] https://bugs.archlinux.org/task/55514
[2] http://www.nongnu.org/oath-toolkit/pam_oath.html
Comment 1 Todd C. Miller 2017-09-05 09:31:35 MDT 
This should be fixed by https://www.sudo.ws/repos/sudo/rev/6ee5cc13af69
Comment 2 Evangelos Foutras 2017-09-05 10:49:26 MDT 
The logic looks OK now and a quick test shows that it behaves correctly. Thanks for the quick fix!

A related thought would be if it'd be possible to show the prompt from pam_oath in cases where a custom user prompt is provided:

$ sudo -p 'Password for %u: ' true
Password for foutrelis: (entered one-time password)
Password for foutrelis: (entered user password)
$ (successful authentication)

It seems confusing to see the same prompt for both kinds of passwords.

I'd understand if that's not a supported use case (or complicated to implement), but thought I'd mention it.
Comment 3 Todd C. Miller 2017-09-07 05:55:58 MDT 
There are two ways for the user to specify a prompt with slightly different semantics.

1) The SUDO_PROMPT environment variable.  This is treated the same as the "passprompt" sudoers option and will not replace a challeng/response type prompt unless "passprompt_override" is set in sudoers

2) The -p command line option.  Unlike SUDO_PROMPT, this option implies "passprompt_override".  It is assumed the user knows what they are doing :-)
Comment 4 Todd C. Miller 2017-09-07 05:56:44 MDT 
Sudo 1.8.21p2 is out now which includes the fix.