Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support alternative sudo authentication methods #201

Open
9ary opened this issue Apr 6, 2023 · 0 comments
Open

Support alternative sudo authentication methods #201

9ary opened this issue Apr 6, 2023 · 0 comments

Comments

@9ary
Copy link

9ary commented Apr 6, 2023

It seems that morph implements its own password prompt, and it will pass -n to sudo it not using --passwd:

morph/ssh/ssh.go

Lines 149 to 154 in 5b85237

if sshCtx.sudoPassword != "" {
cmdArgs = append(cmdArgs, "-S")
} else {
// no password supplied; request non-interactive sudo, which will fail with an error if a password was required
cmdArgs = append(cmdArgs, "-n")
}

The problem with this is that when using non-standard PAM modules to authenticate, the password prompt flow may be different. For example, the PAM module may ask more than one question, or even none at all.

I'm running into the latter case: using yubikey-agent + pam_ssh_agent_auth, I never actually have to type anything on the remote. The agent will prompt for the pin locally using pinentry, and then most of the time touching the yubikey is enough to authenticate.

If I don't pass --passwd to morph, the PAM module doesn't seem to get a chance to run, and sudo complains that a password is required. If I do, morph prompts for an (unnecessary) password, and entering any bogus, but non-empty value allows me to successfully authenticate using the yubikey.

It might be sensible to allow sudo's interactive authentication to run properly, and in fact I would expect --passwd to do just that rather than implement its own password prompt.

Also it seems sudo's own authentication cache is not working at all, because I have to touch the yubikey multiple times. Maybe that was the reason for implementing a prompt in morph in the first place?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant