If sudo is run without a tty via ssh, suggest using "ssh -t"

The current warning message mentions using sudo's -S option but
this will cause the password to be echoed without a terminal.
In most cases, the user just needs to run ssh with the -t option.

Author: millert

docs/sudo.man.in

@@ -2,7 +2,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2023
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2024
 .\"	Todd C. Miller <[email protected]>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDO" "@mansectsu@" "August 9, 2023" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "@mansectsu@" "December 20, 2024" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -1594,14 +1594,23 @@ option is specified) and the standard input has been redirected from
 \fBsudo\fR
 needs to read the password but there is no mechanism available for it
 to do so.
-A terminal is not present to read the password from,
-\fBsudo\fR
-has not been configured to read from the standard input,
-the
+Remote commands run via
+ssh(1)
+do not have a terminal available by default; passing the
+\fB\-t\fR
+option to
+ssh(1)
+will cause it to allocate a terminal which should allow
+\fBsudo\fR
+to read the password.
+To allow
+\fBsudo\fR
+to run local commands without a terminal, the
 \fB\-S\fR
-option was not used, and no askpass helper has been specified either via the
+option can be used to read a password from the standard input, or
+an askpass helper can be configured via either the
 sudo.conf(@mansectform@)
-file or the
+file or by setting the
 \fRSUDO_ASKPASS\fR
 environment variable.
 .TP 6n

docs/sudo.mdoc.in

@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2023
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2024
 .\"	Todd C. Miller <[email protected]>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd August 9, 2023
+.Dd December 20, 2024
 .Dt SUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -1492,14 +1492,23 @@ option is specified) and the standard input has been redirected from
 .Nm
 needs to read the password but there is no mechanism available for it
 to do so.
-A terminal is not present to read the password from,
-.Nm
-has not been configured to read from the standard input,
-the
+Remote commands run via
+.Xr ssh 1
+do not have a terminal available by default; passing the
+.Fl t
+option to
+.Xr ssh 1
+will cause it to allocate a terminal which should allow
+.Nm
+to read the password.
+To allow
+.Nm
+to run local commands without a terminal, the
 .Fl S
-option was not used, and no askpass helper has been specified either via the
+option can be used to read a password from the standard input, or
+an askpass helper can be configured via either the
 .Xr sudo.conf @mansectform@
-file or the
+file or by setting the
 .Ev SUDO_ASKPASS
 environment variable.
 .It Li no writable temporary directory found

src/tgetpass.c

@@ -137,8 +137,13 @@ tgetpass(const char *prompt, int timeout, unsigned int flags,
 	ttyfd = open(_PATH_TTY, O_RDWR);
 	if (ttyfd == -1 && !ISSET(flags, TGP_ECHO|TGP_NOECHO_TRY)) {
 	    if (askpass == NULL || getenv_unhooked("DISPLAY") == NULL) {
-		sudo_warnx("%s",
-		    U_("a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper"));
+		if (getenv_unhooked("SSH_CONNECTION") != NULL && getenv_unhooked("SSH_TTY") == NULL) {
+		    sudo_warnx("%s",
+			U_("a terminal is required to read the password; either use ssh's -t option or configure an askpass helper"));
+		} else {
+		    sudo_warnx("%s",
+			U_("a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper"));
+		}
 		debug_return_str(NULL);
 	    }
 	    SET(flags, TGP_ASKPASS);