Password prompt goes to stdout

[ghost]

It should go to stderr, so that e.g. doas ls > ls.out works and ls.out does not contain the Password: prompt. OpenBSD's doas does the right thing here.

I think this can be setup with PAM somehow, so this is likely related to #2.

[slicer69]

Confirmed this is an issue. Trying to find the proper PAM documentation to direct the prompt to stderr.

[slicer69]

This issue has been fixed (or at least worked around) in the latest commit: cef2929

The password prompt is now displayed on stderr and the target command's output is written to stdout. At least it's working for me, would like to get it tested before I send update the FreeBSD port.

[ghost]

While it solves the problem I initially reported it still has another one. Redirecting stderr has the same problem. On OpenBSD doas ls &> ls.out works without putting the password prompt in ls.out (this works with sudo too). On FreeBSD with your fix the prompt still ends up in ls.out.

AFAICT su(1) solves this by using ttyname with pam_set_item(..., PAM_TTY, ...) (https://github.com/freebsd/freebsd/blob/master/usr.bin/su/su.c#L297 and https://github.com/freebsd/freebsd/blob/master/usr.bin/su/su.c#L123).

[slicer69]

I tried using ttyname and pam_set_item the way su does yesterday. It didn't work. Depending on where the call is made, I either ended up with the password prompt in stdout or no visible password prompt at all.

You said ls &> ls.out put the password prompt in the output, but that is what I would consider expected behaviour considering the command. I mean that is what I would want to happen if I ran doas ls &> ls.out.