Sudo is still requiring a password even when PAM does not require input
nogweii opened this issue · 4 comments
nogweii commented
Running sudo version 1.9.12p2 on Arch Linux.
I've set up /etc/pam.d/sudo
to accept pam_ssh_agent_auth as sufficient:
[ansible-admin@naquadah ~]$ cat /etc/pam.d/sudo
#%PAM-1.0
auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys
auth include system-auth
account include system-auth
session include system-auth
And when running in interactive mode, there are no prompts as desired:
[ansible-admin@naquadah ~]$ sudo -H -S /bin/sh -c "ls -l /root"
total 0
However adding -n
will cause sudo to require a password
[ansible-admin@naquadah ~]$ sudo -k
[ansible-admin@naquadah ~]$ sudo -H -S -n /bin/sh -c "echo BECOME-SUCCESS"
sudo: a password is required
It seems like this should work according to the news entry for 1.9.9 and #83 being closed.
Debug logs of the denial have been uploaded to a Gist: https://gist.github.com/nogweii/06ecfb9487ccc685b1210de3678840ff
Let me know if there is any more information I can provide!
millert commented
Does it work as expected if you set "noninteractive_auth" in sudoers?
nogweii commented
Oh, dang, I missed that! Yes, it does work when I set noninteractive_auth
in sudoers.