Sudo is still requiring a password even when PAM does not require input

[nogweii]

Running sudo version 1.9.12p2 on Arch Linux.

I've set up /etc/pam.d/sudo to accept pam_ssh_agent_auth as sufficient:

[ansible-admin@naquadah ~]$ cat /etc/pam.d/sudo
#%PAM-1.0
auth            sufficient      pam_ssh_agent_auth.so file=/etc/security/authorized_keys
auth            include         system-auth
account         include         system-auth
session         include         system-auth

And when running in interactive mode, there are no prompts as desired:

[ansible-admin@naquadah ~]$ sudo -H -S /bin/sh -c "ls -l /root"
total 0

However adding -n will cause sudo to require a password

[ansible-admin@naquadah ~]$ sudo -k
[ansible-admin@naquadah ~]$ sudo -H -S -n /bin/sh -c "echo BECOME-SUCCESS"
sudo: a password is required

It seems like this should work according to the news entry for 1.9.9 and #83 being closed.

Debug logs of the denial have been uploaded to a Gist: https://gist.github.com/nogweii/06ecfb9487ccc685b1210de3678840ff

Let me know if there is any more information I can provide!

[millert]

Does it work as expected if you set "noninteractive_auth" in sudoers?

[millert]

See also #131

[nogweii]

Oh, dang, I missed that! Yes, it does work when I set noninteractive_auth in sudoers.

[mjbnz]

I thought I'd found my fix with this issue, but it seems not - even after adding noninteractive_auth, I am still prompted for a password by PAM when using sudo -i. However, if I first validate with another command (sudo -l, sudo -v, etc), a call to sudo -i subsequently works.

Is this related, or should I file a new issue? For reference, this used to work in 1.9.5p2, now doesn't work in 1.9.13p3 (Debian 11 vs Debian 12).

edit: Disregard - --with-pam-login has been enabled in Debian 12: debbug#690044