vim-suda
vim-suda copied to clipboard
lambdalisue
Prompted for password even if non is required
I've sudo set up so that I can sudo by just pressing my Yubikey's button.
However, when I run SudaWrite, I'm always prompted for a password. I can type any gibberish though, and then pressing the key lets sudo operate properly.
How about not asking for a password is sudo does not require one?
I use fprintd with sudo and I also have this problem. According to the discussions in #34 i guess it is very hard to determine whether sudo requests a password, so an extra configuration option may be the easiest way to solve this.
an extra configuration option may be the easiest way to solve this.
That would partially work. If my yubikey is not plugged it, sudo falls back to asking for a password, so that scenario would not work. I guess if a fingerprint reader is built into the keyboard that wouldn't be an issue in that case though.
an extra configuration option may be the easiest way to solve this.
That would partially work. If my yubikey is not plugged it,
sudofalls back to asking for a password, so that scenario would not work. I guess if a fingerprint reader is built into the keyboard that wouldn't be an issue in that case though.
Oh, then maybe another option is to make sudo read from an empty stdin first. Changing -n to -S in this line should be enough. When stdin is empty, sudo will fail to read a password and exit directly, while authentication methods that come before password can still work. (Unlike -n which also suppresses other stuff like fingerprint authentication.)
I'm not familiar with YubiKey. When using fprintd the solution above causes the editor to freeze until a fingerprint is scanned, so such a solution works, but is not user-friendly.
I have worked out a more user-friendly fix in this branch. It requires let g:suda#try_no_text_input_auth = 1 and has a configurable prompt message. This fix is based on PR #35, and I haven't documented the config options I added yet, but I think the fix should work.
I'm working on a more user-friendly fix in this branch. It requires
let g:suda#try_no_text_input_auth = 1and has a configurable prompt message. This fix is based on PR #35, and I haven't documented the config options I added yet, but I think the fix should work.
I tested the fix with fprintd. SudaWrite works fine, but when using SudaRead spam is written to the temporary file by pam_fprintd.so. Using dd instead of cat in suda#read() may solve this only when assuming root can write to temporary files created by Vim/Neovim. I'm not sure whether it is safe to make this assumption.
Another option may be to allow using an external terminal emulator or tmux to run sudo, so that the plugin doesn't need to care about what sudo expects at all.
Actually, even using a new split with a terminal that does the sudo might be a good idea.
It'd also improve the experience with failed password attempts.
This is an issue when using howdy as well, as you generally want sudo to automatically authenticate without asking for the password.
Any updates on this? I also use fprintd and when saving via Suda it prompts for the password first, then attempts to authenticate via the fingerprint sensor, and ultimately doesn't even save the file.
is this fixed after #69?
I'd say no, the change is mostly unrelated. If you have authenticated before and the authentication token is still valid, it will not ask for a password/fingerprint/yubikey. But if sudo wants you to authenticate, suda still behaves as before.
But isn't this what the option g:suda#nopass is for?
@sstark not quite. this is an issue we're currently working on actually. please see this comment for a description of how it actually works: https://github.com/lambdalisue/suda.vim/issues/61#issuecomment-1990924321
and if you can come up with a better name, we're looking for one at #73