Single sign-on sudo

Powered by Drupal
Submitted by raf on Wed, 03/24/2010 - 22:26

When I log in, I need to enter my password, and then when I want to sudo, I need to enter the same password again. Would it be possible to configure pam to use the log-in password to create a sudo timestamp? is a PAM module that can call an external program at any stage: auth, account, password and session. Via the expose_authtok it can provide the password on the programs stdin. So I added the following at the end of /etc/pam.d/common-auth:

auth	optional expose_authtok /lib/security/

The script reads the password from stdin and then check which user it is running as (when logging in it typically is run as root, but when unlocking a screensaver it is run as the user). If run as root, it does a double sudo (first to the user and the back to root) to make sure that the user really should have sudo powers. Otherwise it simple runs sudo.

All of this is useless if your sudo is configured with tty_tickets, which is the default. If set, users must authenticate on a per-tty basis. So add "!tty_tickets" to the Defaults in your computer's /etc/sudoers.