Open jankatins opened 3 years ago
Also reported as a feature request to sudo: https://github.com/sudo-project/sudo/issues/112
Hi @jankatins! This sounds incredibly frustrating! It is possible to provide a pty for operations (global argument get_pty=True
) - however this is per-command so I don't believe it will fix the problem. I'm now wondering if it's possible to have paramiko
pass around the same PTY between calls - will look into this!
This sounds like a way to do it: https://github.com/pexpect/ptyprocess (+ whatever magic fairy dust is in https://github.com/pexpect/ptyprocess/issues/48) ... or use pyexpect (https://github.com/pexpect/pexpect/blob/831052254a039531adc91ebfce945d9ca54fd00a/pexpect/pty_spawn.py) directly?
Would then look very similar to what I understand the ssh one does: open a session, run commands one after another, close session
Sudo 1.9.9 comes with support to add a different sudo/pam service for sudo -A
and one can use that to configure sudo to not ask for passwords when used with --askpass/-A
. So there is now a way to not get bitten by this problem.
(I wrote up how I configured it: https://www.katzien.de/en/posts/2022-02-06-sudo-with-fingerprint-support/)
Shifting this to a documentation issue now sudo has a fix for this, need to make sure this is well highlighted alongside sudo documentation.
Describe the bug
Fedora 34 sets up PAM with support for fingerprint support in PAM. That means I can put my fingerprint on the reader and sudo will let me through. Unfortunate, this means that every pyinfra sudo call will ask for a fingerprint which has to time out to finally let the normal password (Which pyinfra supplies in a env variable) take over.
To Reproduce
Laptop with fingerprint support, setup to let sudo be authenticated by the fingerprint (default on fedora 34). Add a ´dnf.packages` task with like 10+ packages -> there is one sudo call for each package, all of them waiting for the fingerprint timeout :-(
Expected behavior
I will only get asked once for my password.
I suspect that this isn't easily solveable by pyinfra (i also saw a google result for the same thing in ansible) :-( but I wonder if it would be possible to use a (cached) pty for all calls so that sudo itself caches credentials?