Bug#461230: gksu doesn't work when PAM requires multiple credential prompts.

Thu, 17 Jan 2008 07:08:35 -0800 

Package: gksu
Version: 2.0.0-4
If the configured PAM stack prompts more than once for a credential, or for more than one type of credential, gksu fails. For example, pam_krb5.so with PKINIT linked againt MIT Kerberos 1.6.3 prompts for both the user's Kerberos password (which may be empty) and the user's smartcard PIN (for PKINIT). If this fails, the Kerberos library may prompt for the Kerberos password again. Finally, if pam_unix is in the sudo auth stack, the user will be prompted for the user's local password if Kerberos authentication fails. 

For example, the prompts normally look like so:

[EMAIL PROTECTED]:~$ sudo ls
[sudo] password for krbuser: <kerberos password>
TEST.USER PIN: <smartcard pin>
Password for [EMAIL PROTECTED]: <kerberos password>
Password: <local password>


Typically MIT Kerberos PKINIT users will see two prompts; one for the  
password and one for the PIN.  This enables auto-fallback to the  
Kerberos password if PKINIT fails.


sudo properly sets the prompt on all these prompts:

[EMAIL PROTECTED]:~$ sudo -p GNOME_SUDO_PASS ls
GNOME_SUDO_PASS
GNOME_SUDO_PASS
GNOME_SUDO_PASS
GNOME_SUDO_PASS

When multiple prompts are required by PAM, gksu collects only the first:

[EMAIL PROTECTED]:~$ gksudo -d ls
No ask_pass set, using default!
xauth: /tmp/libgksu-jhwkpb/.Xauthority
STARTUP_ID: gksudo/ls/8452-0-test_TIME2283623798
cmd[0]: /usr/bin/sudo
cmd[1]: -H
cmd[2]: -S
cmd[3]: -p
cmd[4]: GNOME_SUDO_PASS
cmd[5]: -u
cmd[6]: root
cmd[7]: --
cmd[8]: ls

buffer: - 
GNOME_SUDO_PASSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS 
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS 
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS 
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS-

brute force GNOME_SUDO_PASS ended...
Yeah, we're in...
GNOME_SUDO_PASS
xauth: /tmp/libgksu-jhwkpb/.Xauthority
xauth_env: /home/TEST/krbuser/.Xauthority
dir: /tmp/libgksu-jhwkpb
[EMAIL PROTECTED]:~$


Other applications, such as Xscreensaver, gdm, login, etc. are  
capable of handling multiple prompts.  For example, when the screen  
is locked for a PKINIT user, the first xscreensaver prompt is for the  
user's password; when enter is struck, xscreensaver presents the next  
prompt to the user, and so on until PAM completes authentication.


-- Tim



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]















    











					Reply via email to