You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// no password supplied; request non-interactive sudo, which will fail with an error if a password was required
cmdArgs=append(cmdArgs, "-n")
}
The problem with this is that when using non-standard PAM modules to authenticate, the password prompt flow may be different. For example, the PAM module may ask more than one question, or even none at all.
I'm running into the latter case: using yubikey-agent + pam_ssh_agent_auth, I never actually have to type anything on the remote. The agent will prompt for the pin locally using pinentry, and then most of the time touching the yubikey is enough to authenticate.
If I don't pass --passwd to morph, the PAM module doesn't seem to get a chance to run, and sudo complains that a password is required. If I do, morph prompts for an (unnecessary) password, and entering any bogus, but non-empty value allows me to successfully authenticate using the yubikey.
It might be sensible to allow sudo's interactive authentication to run properly, and in fact I would expect --passwd to do just that rather than implement its own password prompt.
Also it seems sudo's own authentication cache is not working at all, because I have to touch the yubikey multiple times. Maybe that was the reason for implementing a prompt in morph in the first place?
The text was updated successfully, but these errors were encountered:
It seems that morph implements its own password prompt, and it will pass
-n
to sudo it not using--passwd
:morph/ssh/ssh.go
Lines 149 to 154 in 5b85237
The problem with this is that when using non-standard PAM modules to authenticate, the password prompt flow may be different. For example, the PAM module may ask more than one question, or even none at all.
I'm running into the latter case: using yubikey-agent + pam_ssh_agent_auth, I never actually have to type anything on the remote. The agent will prompt for the pin locally using pinentry, and then most of the time touching the yubikey is enough to authenticate.
If I don't pass
--passwd
to morph, the PAM module doesn't seem to get a chance to run, and sudo complains that a password is required. If I do, morph prompts for an (unnecessary) password, and entering any bogus, but non-empty value allows me to successfully authenticate using the yubikey.It might be sensible to allow sudo's interactive authentication to run properly, and in fact I would expect
--passwd
to do just that rather than implement its own password prompt.Also it seems sudo's own authentication cache is not working at all, because I have to touch the yubikey multiple times. Maybe that was the reason for implementing a prompt in morph in the first place?
The text was updated successfully, but these errors were encountered: