FS#17519 - [sudo] does not ask for fingerprint with pam_fprint

Attached to Project: Arch Linux
Opened by Eric Siegel (nticompass) - Tuesday, 15 December 2009, 17:43 GMT
Last edited by Allan McRae (Allan) - Wednesday, 23 June 2010, 07:21 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Allan McRae (Allan)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:
I have "auth sufficient pam_fprint.so" at the top of my /etc/pam.d/sudo file. It is supposed to ask me to swipe my finger when I run sudo, and ask for a password if the swipe failed. This works fine in sudo 1.7.2p1-1, but in sudo 1.7.2p2-1 it just asks for a password, it does not ask me to swipe my finger.

Additional info:
* package version(s)
core/sudo 1.7.2p2-1
extra/libfprint 0.0.6-3
extra/fprint_demo 0.4-2

* config and/or log files etc.
/etc/pam.d/sudo
#%PAM-1.0
auth sufficient pam_fprint.so
auth required pam_unix.so
auth required pam_nologin.so

Steps to reproduce:
1. Install libfprint
2. Install sudo
3. Add "auth sufficient pam_fprint.so" to /etc/pam.d/sudo
4. Run sudo -s
This task depends upon

Closed by  Allan McRae (Allan)
Wednesday, 23 June 2010, 07:21 GMT
Reason for closing:  Fixed
Additional comments about closing:  sudo-1.7.2p7-2 in [testing]
Comment by Meir Kriheli (mksoft) - Friday, 22 January 2010, 02:25 GMT
Same problem here, fingerprint swap is ignored after the latest upgrade, used to work before.

* package versions:

libfprint 0.0.6-3
pam_fprint 0.2-1
sudo 1.7.2p2-1

* /etc/pam.d/sudo

#%PAM-1.0
auth sufficient pam_fprint.so
auth required pam_unix.so try_first_pass likeauth nullok
auth required pam_nologin.so


Other services configured to use pam_fprint (e.g: su) are asking for the swipe.
Comment by Allan McRae (Allan) - Monday, 25 January 2010, 01:17 GMT
There is this in the 1.7.2p2 changelog:
When authenticating via PAM, set PAM_RUSER and PAM_RHOST early so they can be used during authentication.

Maybe related?

Anyway, looks like an upstream issue as a Fedora user has noticed it [1], so please file a bug upstream (http://www.sudo.ws/bugs/) and give a link here.

[1] http://forums.fedoraforum.org/showthread.php?p=1320770#post1320770
Comment by Eric Siegel (nticompass) - Monday, 25 January 2010, 01:45 GMT
I filed a bug report upstream. http://www.gratisoft.us/bugzilla/show_bug.cgi?id=388
Comment by Allan McRae (Allan) - Wednesday, 17 February 2010, 05:19 GMT
Can you test with sudo-1.7.2p3 (current in the testing repo)?
Comment by Eric Siegel (nticompass) - Thursday, 18 February 2010, 01:20 GMT
Tried it with sudo-1.7.2p3. Still doesn't work. sudo 1.7.2p1-1 is the version that works with pam_fprint.
Comment by Meir Kriheli (mksoft) - Sunday, 21 February 2010, 09:06 GMT
Same here, not working with 1.7.2p3.
Comment by Eric Siegel (nticompass) - Saturday, 27 February 2010, 19:44 GMT
I ran pacman -Syu today, and there was sudo 1.7.2p4-1. I installed that, and pam_fprint still does not work. pam_fprint still and only works with sudo 1.7.2p1-1.
Comment by Eric Siegel (nticompass) - Thursday, 11 March 2010, 04:31 GMT
sudo-1.7.2p5-1 does not work with pam_fprint
Comment by Allan McRae (Allan) - Thursday, 11 March 2010, 08:42 GMT
Can you report the newer versions still do not work in your upstream bug. There is not much I can do here...
Comment by Allan McRae (Allan) - Saturday, 20 March 2010, 02:36 GMT
Closing this as an upstream issue. Reopen if a patch is made available before the release that fixes it.
Comment by Eric Siegel (nticompass) - Tuesday, 22 June 2010, 08:55 GMT
Upstream made a patch for sudo 1.7.2p2. I tried it on 1.7.2p7. It worked.

The patch is here: http://www.gratisoft.us/bugzilla/attachment.cgi?id=277

Loading...