When I log in, I need to enter my password, and then when I want to sudo, I need to enter the same password again. Would it be possible to configure pam to use the log-in password to create a sudo timestamp?
pam_exec.so is a PAM module that can call an external program at any stage: auth, account, password and session. Via the
expose_authtok it can provide the password on the programs stdin. So I added the following at the end of /etc/pam.d/common-auth:
auth optional pam_exec.so expose_authtok /lib/security/pam_sudo_timestamp.sh
pam_sudo_timestamp.sh script reads the password from stdin and then check which user it is running as (when logging in it typically is run as root, but when unlocking a screensaver it is run as the user). If run as root, it does a double sudo (first to the user and the back to root) to make sure that the user really should have sudo powers. Otherwise it simple runs sudo.
All of this is useless if your sudo is configured with
tty_tickets, which is the default. If set, users must authenticate on a per-tty basis. So add "
!tty_tickets" to the
Defaults in your computer's