From 169fe60e46d1dda26cc84fb33f8a6b70c81f375f Mon Sep 17 00:00:00 2001 From: bjorn3 <17426603+bjorn3@users.noreply.github.com> Date: Tue, 3 Dec 2024 16:27:07 +0100 Subject: [PATCH 1/2] Treat conversation error as authentication failure On FreeBSD PAM returns a conversation error when there is nowhere to read the password from. --- src/sudo/pam.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sudo/pam.rs b/src/sudo/pam.rs index d8e1f190f..42edb4421 100644 --- a/src/sudo/pam.rs +++ b/src/sudo/pam.rs @@ -150,7 +150,7 @@ pub fn attempt_authenticate( } // there was an authentication error, we can retry - Err(PamError::Pam(PamErrorType::AuthError, _)) => { + Err(PamError::Pam(PamErrorType::AuthError | PamErrorType::ConversationError, _)) => { max_tries -= 1; if max_tries == 0 { return Err(Error::MaxAuthAttempts(current_try)); From fd3cfecebc4f6b9f26e623440205a9c2b88e6395 Mon Sep 17 00:00:00 2001 From: "Marc R. Schoolderman" Date: Thu, 19 Dec 2024 11:00:03 +0100 Subject: [PATCH 2/2] always give 'interaction is required' once if a conversation error occurred (#2) --- src/sudo/pam.rs | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/sudo/pam.rs b/src/sudo/pam.rs index 42edb4421..115f8ec5b 100644 --- a/src/sudo/pam.rs +++ b/src/sudo/pam.rs @@ -150,12 +150,15 @@ pub fn attempt_authenticate( } // there was an authentication error, we can retry - Err(PamError::Pam(PamErrorType::AuthError | PamErrorType::ConversationError, _)) => { + Err(PamError::Pam( + err_type @ (PamErrorType::AuthError | PamErrorType::ConversationError), + _, + )) => { max_tries -= 1; - if max_tries == 0 { - return Err(Error::MaxAuthAttempts(current_try)); - } else if non_interactive { + if non_interactive || err_type == PamErrorType::ConversationError { return Err(Error::InteractionRequired); + } else if max_tries == 0 { + return Err(Error::MaxAuthAttempts(current_try)); } else { user_warn!("Authentication failed, try again."); }