sudo constantly asking for password with LDAP SSH user.

[tiendungitd]

Hello,
I'm using Ubuntu 16.04, just upgraded sudo from version 1.8.16 to 1.9.5p2. When I SSH to server by LDAP account, I try to run some sudo command, the server require to input password constantly, I'm sure that I input a correct password, but in auth.log show I entered incorrect password.
Feb 2 10:28:05 sin-rcr01 sudo: AVN\ttdung : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/AVN/ttdung ; USER=root ; COMMAND=/bin/su
This is sudo -V of sudo 1.9.5

Sudo version 1.9.5p2
Configure options:
Sudoers policy plugin version 1.9.5p2
Sudoers file grammar version 48

Sudoers path: /etc/sudoers
Authentication methods: 'passwd'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if user authentication fails
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /var/lib/sudo/lectured
Path to authentication timestamp dir: /run/sudo/ts
Default password prompt: Password:
Default user to run commands as: root
Value to override user's $PATH with: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Path to the editor for use by visudo: /usr/bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for safety:
        TZ
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        *=()*
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        BASHOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XAUTHORIZATION
        XAUTHORITY
        PS2
        PS1
        PATH
        LS_COLORS
        KRB5CCNAME
        HOSTNAME
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use: sudo
PAM service name to use for login shells: sudo
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Perform PAM account validation management
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit
Allow commands to be run even if sudo cannot write to the audit log
Allow commands to be run even if sudo cannot write to the log file
Log entries larger than this value will be split into multiple syslog messages: 960
File mode to use for the I/O log files: 0600
Execute commands by file descriptor instead of by path: digest_only
Type of authentication timestamp record: tty
Ignore case when matching user names
Ignore case when matching group names
Log when a command is allowed by sudoers
Log when a command is denied by sudoers
Sudo log server timeout in seconds: 30
Enable SO_KEEPALIVE socket option on the socket connected to the logserver
Verify that the log server's certificate is valid
Set the pam remote user to the user running sudo
The format of logs to produce: sudo

Local IP address and netmask pairs:
        10.123.1.34/255.255.255.0
        fe80::46f:e4ff:fe8e:176/ffff:ffff:ffff:ffff::

Sudoers I/O plugin version 1.9.5p2
Sudoers audit plugin version 1.9.5p2

Here is output of sudo 1.8.16 before upgrading:

Sudo version 1.8.16
Configure options: --prefix=/usr -v --with-all-insults --with-pam --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p:  --without-lecture --with-tty-tickets --disable-root-mailer --enable-admin-flag --with-sendmail=/usr/sbin/sendmail --with-rundir=/var/run/sudo --mandir=/usr/share/man --libexecdir=/usr/lib/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --with-selinux --with-linux-audit
Sudoers policy plugin version 1.8.16
Sudoers file grammar version 45

Sudoers path: /etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if user authentication fails
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Require fully-qualified hostnames in the sudoers file
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 15.0 minutes
Password prompt timeout: 0.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /var/lib/sudo/lectured
Path to authentication timestamp dir: /var/run/sudo/ts
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Path to the editor for use by visudo: /usr/bin/editor
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TZ
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        __BASH_FUNC<*
        BASH_FUNC_*
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        BASHOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XAUTHORIZATION
        XAUTHORITY
        PS2
        PS1
        PATH
        LS_COLORS
        KRB5CCNAME
        HOSTNAME
        HOME
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use
PAM service name to use for login shells
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Maximum I/O log sequence number: 0
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit

Local IP address and netmask pairs:
        10.124.1.237/255.255.255.0
        fe80::66:edff:feb1:3d80/ffff:ffff:ffff:ffff::

Sudoers I/O plugin version 1.8.16

I think the difference is "Authentication methods", the new version using "passwd" method instead of "pam", How can I change it?
Thanks.

[millert]

Yes, that is the problem. Your new version of sudo doesn't appear to have been built with PAM support. You don't say whether you build sudo yourself or used a pre-built package. If you used a package, where did it come from? From the sudo 1.8.16 output you can see the configure options that version of sudo was built with. It appears that for 1.9.5p2 the defaults were chosen and for some reason PAM was not found (perhaps the pam devel libs were not present).

You should be able to use the 1.9.5p2 Ubuntu 16.04 sudo package from github or the sudo.ws website which will have PAM support.

[millert]

If you would like to build your own sudo package, the easiest method is to run ./scripts/mkpkg from the sudo source dir (or use the appropriate path if using a separate build dir). That will build a package with the same configure options as the ones on github and sudo.ws. You will need to have at least the following packages installed build the package: build-essential ed dpkg-dev libldap2-dev libpam0g-dev libsasl2-dev libselinux1-dev libsepol1-dev zlib1g libaudit-dev fakeroot libssl-dev python3-dev libpython3-dev

[tiendungitd]

@millert : I built the sudo package by following command:

`wget https://www.sudo.ws/dist/sudo.tar.gz && \
tar xvzf sudo.tar.gz && \
cd sudo-1.9.5p2/ && \
./configure && \
make && \
make install`

I did not set any option in configure step which might causing the issue. I try to install pre-build package https://github.com/sudo-project/sudo/releases/download/SUDO_1_9_5p2/sudo_1.9.5-3_ubu1604_amd64.deb, but the issue still occur

`root@kladev:/home/ubuntu# dpkg -i sudo_1.9.5-3_ubu1604_amd64.deb
(Reading database ... 145787 files and directories currently installed.)
Preparing to unpack sudo_1.9.5-3_ubu1604_amd64.deb ...
Unpacking sudo (1.9.5-3) over (1.8.16-0ubuntu1.10) ...
Setting up sudo (1.9.5-3) ...
Installing new version of config file /etc/pam.d/sudo ...

Configuration file '/etc/sudoers'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** sudoers (Y/I/N/O/D/Z) [default=N] ? y
Installing new version of config file /etc/sudoers ...

Configuration file '/etc/sudo.conf'
 ==> File on system created by you or by a script.
 ==> File also in package provided by package maintainer.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** sudo.conf (Y/I/N/O/D/Z) [default=N] ? y
Installing new version of config file /etc/sudo.conf ...
Processing triggers for man-db (2.7.5-1) ...
root@kladev:/home/ubuntu# sudo -V
Sudo version 1.9.5p2
Configure options:
Sudoers policy plugin version 1.9.5p2
Sudoers file grammar version 48

Sudoers path: /etc/sudoers
Authentication methods: 'passwd'
`

did I miss something?

[millert]

You now have sudo installed in two locations. The sudo package installs things in /usr but the one you built puts them in /usr/local.

[tiendungitd]

I tried to uninstall the one I build by "make uninstall", but got the error

/usr/local/sbin/visudo
/usr/local/sbin/visudo: error while loading shared libraries: libsudo_util.so.0: cannot open shared object file: No such file or directory
Makefile:429: recipe for target 'uninstall' failed
make[1]: *** [uninstall] Error 127
make[1]: Leaving directory '/home/ubuntu/sudo-1.9.5p2/plugins/sudoers'
Makefile:196: recipe for target 'uninstall' failed
make: *** [uninstall] Error 2

[millert]

This is due to a typo in plugin/sudoers/Makefile. In the uninstall target there should be a backslash at the end of the line that removes sudoreplay (like there already is for cvtsudoers). There is another missing backslash in doc/Makefile removing the sudoers_timestamp manual.

[tiendungitd]

Thanks @millert , I can fixed the issue by uninstall the wrong package and reinstall with pre-built package in sudo.ws website