|Summary:||security/sudo hangs indefinitely when using pam_yubico.so for authentication|
|Product:||Ports & Packages||Reporter:||Matthew <mlogsd>|
|Component:||Individual Port(s)||Assignee:||Renato Botelho <garga>|
|Severity:||Affects Some People||CC:||garga|
Description Matthew 2020-05-06 19:22:41 UTC
when using pam_yubico.so for authentication in /etc/pam.d/sudo the sudo process hangs indefinitely and cant be killed or ctrl+c. The system has to be booted to clear the state. I have reproduced this on serveral systems physical and virtual on 12.0-RELEASE as well as 12.1-RELEASE p1-4. There is no output or logs that I have found the process just blocks forever.
Comment 1 Chris Hutchinson 2020-05-06 19:44:38 UTC
FWIW you can kill it by changing terminals ( CTRL+ALT+F<num> ) and login as someone in the wheel group and perform a ps waux | grep sudo which should provide a pid number you HUP as in kill -HUP <pid number> or perhaps even killall sudo might work. A PITA, but probably better than bouncing your box. :) While this won't fix your issue. I just thought it might help in the interim. :)
Comment 2 Matthew 2020-05-06 21:21:15 UTC
(In reply to Chris Hutchinson from comment #1) I tried kill -9 on it but it never dies. I did not try kill -HUP.
Comment 3 Matthew 2020-09-10 02:23:16 UTC
issue still seems to exist on 12.1-RELEASE-p8. Sudo with yubikey enabled hangs indefinitely and the processes dont respond to kills
Comment 4 Matthew 2021-03-02 01:06:53 UTC
I updated to 12.2 p4 and still have the same issue; after running sudo -i the sudo command hangs indefinitely, with one minor difference. Now if I kill the sudo process from another terminal and immediately run sudo again I do get a valid shell without the hang. I put the pam_yubico module in debug mode and see that it is indeed getting a success and finishing the module. If I add the pam_unix module after the pam_yubico module the pam_unix module does ask for a password. After getting past the yubico module and entering the password requested by the pam_unix module it still hangs indefinitely.