Bugzilla – Bug 956
sudo -n incorrectly ask for a password when using pam
Last modified: 2022-01-27 19:50:32 MST
Hi all, This is a duplicate of an issue I opened on github: https://github.com/sudo-project/sudo/issues/83 but it seems this is moe apropriate place to report (?). First and foremost, apologies if this bug is known or if I missed a workaround. If so, just send me there, thanks in advance. I'm trying to use pam ssh agent auth to allow users to be able to sudo without a password, granted they are using the proper identity. While this seems to be working in interactive mode, non interactive mode keep asking for a password when none is needed. $ sudo -V Sudo version 1.8.27 Sudoers policy plugin version 1.8.27 Sudoers file grammar version 46 Sudoers I/O plugin version 1.8.27 $ sudo -k whoami root $ sudo -nk whoami sudo: a password is required Unless I am missing something, this seems like a bug. Clearly, a password is NOT required, unless I somehow fubared the config - which is absolutely possible. pam ssh agent is setup as the first item in /etc/pam.d/sudo: auth sufficient pam_ssh_agent_auth.so file=/path/to/authorized/pubkeys
The -n flag will cause sudo to refuse to run if authentication is required. In your case, authentication doesn't require a password to be entered, but sudo doesn't really know that. It may be possible to push that check further down into the code that does the actual prompting but that may not work in all cases.
Fixed in sudo 1.9.9.