@local + sudo unusable when using PAM fingerprint support in fedora 34

pyinfra-dev / pyinfra

pyinfra turns Python code into shell commands and runs them on your servers. Execute ad-hoc commands and write declarative operations. Target SSH servers, local machine and Docker containers. Fast and scales from one server to thousands.

https://pyinfra.com

MIT License

3.85k stars 374 forks source link

@local + sudo unusable when using PAM fingerprint support in fedora 34 #654

Open jankatins opened 3 years ago

jankatins commented 3 years ago

Describe the bug

Fedora 34 sets up PAM with support for fingerprint support in PAM. That means I can put my fingerprint on the reader and sudo will let me through. Unfortunate, this means that every pyinfra sudo call will ask for a fingerprint which has to time out to finally let the normal password (Which pyinfra supplies in a env variable) take over.

To Reproduce

Laptop with fingerprint support, setup to let sudo be authenticated by the fingerprint (default on fedora 34). Add a ´dnf.packages` task with like 10+ packages -> there is one sudo call for each package, all of them waiting for the fingerprint timeout :-(

Expected behavior

I will only get asked once for my password.

I suspect that this isn't easily solveable by pyinfra (i also saw a google result for the same thing in ansible) :-( but I wonder if it would be possible to use a (cached) pty for all calls so that sudo itself caches credentials?

jankatins commented 3 years ago

Also reported as a feature request to sudo: https://github.com/sudo-project/sudo/issues/112

Fizzadar commented 3 years ago

Hi @jankatins! This sounds incredibly frustrating! It is possible to provide a pty for operations (global argument get_pty=True) - however this is per-command so I don't believe it will fix the problem. I'm now wondering if it's possible to have paramiko pass around the same PTY between calls - will look into this!

jankatins commented 3 years ago

This sounds like a way to do it: https://github.com/pexpect/ptyprocess (+ whatever magic fairy dust is in https://github.com/pexpect/ptyprocess/issues/48) ... or use pyexpect (https://github.com/pexpect/pexpect/blob/831052254a039531adc91ebfce945d9ca54fd00a/pexpect/pty_spawn.py) directly?

Would then look very similar to what I understand the ssh one does: open a session, run commands one after another, close session

jankatins commented 2 years ago

Sudo 1.9.9 comes with support to add a different sudo/pam service for sudo -A and one can use that to configure sudo to not ask for passwords when used with --askpass/-A. So there is now a way to not get bitten by this problem.

(I wrote up how I configured it: https://www.katzien.de/en/posts/2022-02-06-sudo-with-fingerprint-support/)

Fizzadar commented 1 year ago

Shifting this to a documentation issue now sudo has a fix for this, need to make sure this is well highlighted alongside sudo documentation.