Bug#461230: gksu doesn't work when PAM requires multiple credential prompts.

Timothy J. Miller tmiller at mitre.org
Thu Jan 17 14:46:12 UTC 2008 

Package: gksu
Version: 2.0.0-4

If the configured PAM stack prompts more than once for a credential,  
or for more than one type of credential, gksu fails.  For example,  
pam_krb5.so with PKINIT linked againt MIT Kerberos 1.6.3 prompts for  
both the user's Kerberos password (which may be empty) and the user's  
smartcard PIN (for PKINIT).  If this fails, the Kerberos library may  
prompt for the Kerberos password again.  Finally, if pam_unix is in  
the sudo auth stack, the user will be prompted for the user's local  
password if Kerberos authentication fails.

For example, the prompts normally look like so:

krbuser at test:~$ sudo ls
[sudo] password for krbuser: <kerberos password>
TEST.USER PIN: <smartcard pin>
Password for krbuser at TEST.DOMAIN.LOCAL: <kerberos password>
Password: <local password>

Typically MIT Kerberos PKINIT users will see two prompts; one for the  
password and one for the PIN.  This enables auto-fallback to the  
Kerberos password if PKINIT fails.

sudo properly sets the prompt on all these prompts:

krbuser at test:~$ sudo -p GNOME_SUDO_PASS ls
GNOME_SUDO_PASS
GNOME_SUDO_PASS
GNOME_SUDO_PASS
GNOME_SUDO_PASS

When multiple prompts are required by PAM, gksu collects only the first:

krbuser at test:~$ gksudo -d ls
No ask_pass set, using default!
xauth: /tmp/libgksu-jhwkpb/.Xauthority
STARTUP_ID: gksudo/ls/8452-0-test_TIME2283623798
cmd[0]: /usr/bin/sudo
cmd[1]: -H
cmd[2]: -S
cmd[3]: -p
cmd[4]: GNOME_SUDO_PASS
cmd[5]: -u
cmd[6]: root
cmd[7]: --
cmd[8]: ls
buffer: - 
GNOME_SUDO_PASSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS 
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS 
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS 
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS-
brute force GNOME_SUDO_PASS ended...
Yeah, we're in...
GNOME_SUDO_PASS
xauth: /tmp/libgksu-jhwkpb/.Xauthority
xauth_env: /home/TEST/krbuser/.Xauthority
dir: /tmp/libgksu-jhwkpb
krbuser at test:~$

Other applications, such as Xscreensaver, gdm, login, etc. are  
capable of handling multiple prompts.  For example, when the screen  
is locked for a PKINIT user, the first xscreensaver prompt is for the  
user's password; when enter is struck, xscreensaver presents the next  
prompt to the user, and so on until PAM completes authentication.

-- Tim

More information about the pkg-gnome-maintainers mailing list