Skip to content

Propagate all error kinds from pam::converse not just timeouts #1346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Propagate all error kinds from pam::converse not just timeouts #1346

wants to merge 4 commits into from

Conversation

@bjorn3
Copy link
Collaborator

@bjorn3 bjorn3 commented Nov 19, 2025

This way they rather than silently discarding the error message and doing another authentication attempt, they properly report the error message and cause sudo to exit. This way for example pam_faillock won't cause a persistent error like incorrect SUDO_ASKPASS value (once implemented) to be treated as multiple successive failed password attempts.

@bjorn3 bjorn3 requested a review from squell November 19, 2025 12:38
@bjorn3 bjorn3 added this to the askpass milestone Nov 19, 2025
@bjorn3 bjorn3 marked this pull request as draft November 19, 2025 13:34
@bjorn3 bjorn3 force-pushed the pam_propagate_error branch 2 times, most recently from a7d610d to 779da35 Compare November 24, 2025 10:43
@bjorn3
Propagate all error kinds from pam::converse not just timeouts
9798c21 
This way they rather than silently discarding the error message and
doing another authentication attempt, they properly report the error
message and cause sudo to exit. This way for example pam_faillock won't
cause a persistent error like incorrect SUDO_ASKPASS value (once
implemented) to be treated as multiple successive failed password
attempts.
@bjorn3
Error fixes
7cbc01e
@bjorn3
Don't retry authentication on password input error
d3ac3eb 
For example a timeout or ctrl+d. In addition don't allow PAM to ask for
another password when an input error happened. We will still retry if
the password that was entered was incorrect of course. This matches the
behavior of og sudo.
@bjorn3
Move timeout error conversion into rpassword
ac1f3bf
@bjorn3 bjorn3 force-pushed the pam_propagate_error branch from 779da35 to ac1f3bf Compare November 24, 2025 12:32
@bjorn3 bjorn3 marked this pull request as ready for review November 24, 2025 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squell squell Awaiting requested review from squell

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

askpass

Development

Successfully merging this pull request may close these issues.

1 participant

@bjorn3