PAM sudo password prompt for redirect #16857
Replies: 1 comment 1 reply
-
|
Any pointers to where to look in the code to start looking into this? |
Beta Was this translation helpful? Give feedback.
-
|
Cockpit has some trouble in general with output produced by sudo. We catch stderr and display that, but stdout is not handled well. I guess your PAM module writes the messages to stdout, right? If you want to dig into this yourself, I suggest starting with CockpitPeer: https://github.com/cockpit-project/cockpit/blob/main/src/bridge/cockpitpeer.c#L868 Right now I am puzzled why you get a dialog at all. Does your PAM module ask for user input? (If not, there should be no dialog at all.) |
Beta Was this translation helpful? Give feedback.
-
We are doing something that is a little unusual for authentication for Cockpit. I have everything working, BUT there is one display issue that I would love to figure out.
We are running on the latest CentOS 8 Stream.
We don't use passwords at all. We use client side certificates for our access to cockpit, with the new configuration with SSSD, we were able to get everything working without any custom code.
For privileged access the sudo modules "works", but it does not give any display. We have a custom pam module that pings a secondary authentication server for access. From the console this looks like:
Once the user has provided credentials the url (https://my.auth.server/auth) the backend PAM module provides a success to PAM and the user's sudo command works.
On Cockpit, clicking limit access does run the pam module, the user can go to the auth server, provide credentials and get a privileged session - PAM works fine. What does not work is the dialogue box for the user; all they get is a blank box. I would love to be able to pass the message from PAM to the user: "Click the following link to authenticate: https://my.auth.server/auth" (or some such).
Thanks for a great project and any help you can provide.
Beta Was this translation helpful? Give feedback.
All reactions