Bug#461231: gksu discards information about the credential type requested by PAM
Timothy J. Miller
tmiller at mitre.org
Thu Jan 17 14:46:08 UTC 2008
Package: gksu
Version: 2.0.0-4
PAM can be configured for multiple credential types, not just
passwords. For example, PAM can be configured to log into accounts
using PKI credentials contained on smartcards, either through
pam_pkcs11 or pam_krb5 (when PKINIT is available).
When the credential is not a password, the PAM authentication prompt
conveys to the user information about the credential requested. For
example, when using pam_pkcs11:
user at test:~$ sudo ls
TEST2.USER PIN:
This informs the user that the smartcard PIN is requested rather than
a password. Incorrectly providing the password when a PIN is request
results in a failed authentication; multiple failed authentications
can disable the card, so this information is important.
Other PAM-reliant applications, such as sudo, xscreensaver, gdm, or
login, present the unmodified PAM credential prompt to the user.
gksu invokes sudo internally with the -p option and a fixed prompt,
which discards the credential context information PAM provides. This
leads to failed authentications and user confusion.
-- Tim
More information about the pkg-gnome-maintainers
mailing list