sudo never asks me for a password

Tom McLaughlin tmclaugh at sdf.lonestar.org
Mon Dec 3 17:19:38 PST 2007 

On Fri, 2007-11-23 at 20:01 -0800, Kamil Kisiel wrote:
> On Nov 23, 2007 7:31 PM, Kamil Kisiel <kamil at kamilkisiel.net> wrote:
> > On Nov 23, 2007 7:16 PM, Christopher Cowart
> >
> > <ccowart at rescomp.berkeley.edu> wrote:
> > > On Fri, Nov 23, 2007 at 07:09:36PM -0800, Kamil Kisiel wrote:
> > > > On 11/23/07, Christopher Cowart <ccowart at rescomp.berkeley.edu> wrote:
> > > > > On Fri, Nov 23, 2007 at 03:43:39PM -0800, Kamil Kisiel wrote:
> > > > > > For some reason, on this particular FreeBSD machine, sudo never asks
> > > > > > me for a password, even if I haven't logged in for days.
> > > > > >
> > > > > > I've been struggling with this problem for some time but still haven't
> > > > > > been able to find a solution. Any ideas?
> > > > >
> > > > > Maybe something is misconfigured in your pam stack? Check
> > > > > /etc/pam.d/sudo.
> > > >
> > > > /etc/pam.d/sudo looks like this:
> > > >
> > > > #
> > > > # $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $
> > > > #
> > > > # PAM configuration for the "su" service
> > > > #
> > > >
> > > > # auth
> > > > auth            sufficient      pam_rootok.so           no_warn
> > > > auth            sufficient      pam_self.so             no_warn
> > > > auth            requisite       pam_group.so            no_warn
> > > > group=wheel root_only fail_safe
> > > > auth            include         system
> > > >
> > > > # account
> > > > account         include         system
> > > >
> > > > # session
> > > > session         required        pam_permit.so
> > >
> > > This looks like it was copied verbatim from su.
> > >
> > > I suspect the pam_self.so is causing problems. Sudo authenticates the
> > > user for their current account, not the target account. That line will
> > > cause authentication to short-circuit on a UID match w/o any need to
> > > provide a password. Try commenting it out.
> > >
> > > --
> > >
> > > Chris Cowart
> > > Lead Systems Administrator
> > > Network & Infrastructure Services, RSSP-IT
> > > UC Berkeley
> > >
> >
> > Thanks Christopher,
> >
> > That's exactly the problem. Seems the previous administrator of this
> > machine made /etc/pam.d/sudo a link to /etc/pam.d/su and left it
> > configured as is. Somehow I never caught on to that.
> >
> > --
> > Kamil
> >
> 
> Alright, maybe my impression of success was slightly premature. It
> seems that the problem now is that sudo doesn't like the pam_unix.so
> module for whatever reason. If I use the default sudo pam file, which
> simply includes all settings from /etc/pam.d/system it gives me an
> error like the following:
> 
> sudo: pam_authenticate: conversation failure

what version of sudo are you using?  This is the pam file from the
latest verison of the port:

#
# $Id$
#
# PAM configuration for the "sudo" service
#

# auth
auth            include         system

# account
account         include         system

# session
# XXX: pam_lastlog (used in system) causes users to appear as though
# they are no longer logged in in system logs.
session         required        pam_permit.so

# password
password        include         system

> 
-- 
| tmclaugh at sdf.lonestar.org                 tmclaugh at FreeBSD.org |
| FreeBSD                                       http://www.FreeBSD.org |

More information about the freebsd-questions mailing list