pam_touchid appears to break sudo over SSH

[modest]

I haven't fully tested this scenario, but at first pass, it seems like pam_touchid prevents a remote SSH user from using sudo on a Mac with pam_touchid installed. The GUI prompt appears and never gives up without GUI user input.

Are there some possible mitigations here?

• Checking the tty being used (does PAM expose this?) and immediately falling back to password authentication if the user is coming from a remote terminal
• or: Adding a timeout so that the Touch ID prompt automatically aborts after 5 seconds, causing a fallback to password authentication.

[hamzasood]

Interesting, I hadn't thought of that.

Does it work if you add something like:

if (getenv("SSH_TTY"))  
    return PAM_IGNORE;

to the very top of pam_sm_authenticate?

I can't test it at the moment, but hopefully that will make it fallback to the default authentication method when run from ssh (assuming you kept the opendirectory line intact in the ssh pam.d entry)

[fraimondo]

Just tested it. I can confirm it works.

[cqexbesd]

I think also that XPC_SERVICE_NAME will be set if running a shell locally - but that might depend on if you are using Terminal.app or an alternative. Neither way seem that great as a proxy for detecting if the user is local or not but I can't think of a better way.

[barry-scott]

@cqexbesd what if I have a GUI app that spawns a sudo command? Will I see the XPC_SERVICE_NAME then?

[ITJesse]

if (getenv("SSH_TTY"))
return PAM_IGNORE;

@hamzasood I can also confirm it works. Why don't you merge it into code?

[caesar]

Looks like this project may be abandoned, sadly... in the meantime, @BenKesselring has a fork with this bug fixed: https://github.com/BenKesselring/pam_touchid/

[AdnanHodzic]

@caesar didn't have a chance to check, did he include if (getenv("SSH_TTY")) return PAM_IGNORE; into his fork/master?

[caesar]

@AdnanHodzic yes. He also opened a PR (#4) to merge that fix into this project but @hamzasood unfortunately never merged it.