Add the following lines underneath the
pam_rootok.so line in your
auth [success=ignore default=1] pam_succeed_if.so user = martin-test auth sufficient pam_succeed_if.so use_uid user = martin
These lines perform checks using the
pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the
- The first line checks whether the target user is
martin-test. If it is nothing happens (
success=ignore) and we can continue on the next line to check the current user. If it is not, the next line will be skipped (
default=1) and we can continue on subsequent lines with the usual authentication steps.
- The second line checks whether the current user is
martinor not, if it is then the system considers the authentication process as successful and returns (
sufficient), if it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.
You can also restrict
su to a group, here the group
su without a password:
auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople
If you don’t want to change groups or use
sudo, use a pam module called
pam_exec to execute external scripts in a pam stage.
Add a line in your
/etc/pam.d/su after the
auth sufficient pam_exec.so quiet /path/to/script
/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:
#!/bin/bash if [ "$PAM_TYPE" == "auth" ] && [ "$PAM_USER" == "martin-test" ] && [ "$PAM_RUSER" == "martin" ]; then exit 0 else exit 1 fi
So this script exits with success if
- is called in context of authentication,
- the calling user is
- the user to authenticate is
martin@host:~$ su - martin-test martin-test@host:~$ exit martin@host:~$ su - otheruser Password: **** otheruser@host:~$
This might be the possible best way.
su is not meant to do that —
/etc/sudoers.d/custom and write the following:
user-a ALL=(user-b:user-b) NOPASSWD:ALL
This means: whenever user-a executes
sudo -u user-b, let him go without asking for the password.
youruserid ALL = (username) NOPASSWD: ALL
visudo and then
sudo -u username bash is like
su - username