Last active
July 28, 2022 13:33
-
-
Save ciastek/d496ac00ad68f5367db7 to your computer and use it in GitHub Desktop.
[SOLVED] Why sudo asks for user password in tmux/ssh session?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| In console: | |
| root# passwd -d user | |
| In console: | |
| login: user | |
| user$ sudo whoami | |
| root | |
| user$ tmux | |
| In tmux/ssh session: | |
| user$ sudo whoami | |
| [sudo] password for user: | |
| Why sudo asks for user password in tmux/ssh session? | |
| EDIT: | |
| Why? Because it's configured so! | |
| sudo uses PAM. sudo's PAM is configured in /etc/pam.d/sudo, which includes /etc/pam.d/common-auth, which define using pam_unix.so module with nullok_secure argument. | |
| As man pam_unix states: | |
| nullok_secure (...) The nullok_secure argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty. | |
| In console: | |
| user$ tty | |
| /dev/tty1 | |
| In tmux/ssh session: | |
| user$ tty | |
| /dev/pts/0 | |
| /etc/securetty has /dev/tty1 entry, and has no /dev/pts/0 entry. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # /etc/pam.d/common-auth - authentication settings common to all services | |
| # | |
| # This file is included from other service-specific PAM config files, | |
| # and should contain a list of the authentication modules that define | |
| # the central authentication scheme for use on the system | |
| # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the | |
| # traditional Unix authentication mechanisms. | |
| # | |
| # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. | |
| # To take advantage of this, it is recommended that you configure any | |
| # local modules either before or after the default block, and use | |
| # pam-auth-update to manage selection of other modules. See | |
| # pam-auth-update(8) for details. | |
| # here are the per-package modules (the "Primary" block) | |
| auth [success=1 default=ignore] pam_unix.so nullok_secure | |
| # here's the fallback if no module succeeds | |
| auth requisite pam_deny.so | |
| # prime the stack with a positive return value if there isn't one already; | |
| # this avoids us returning an error just because nothing sets a success code | |
| # since the modules above will each just jump around | |
| auth required pam_permit.so | |
| # and here are more per-package modules (the "Additional" block) | |
| auth optional pam_cap.so | |
| # end of pam-auth-update config |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #%PAM-1.0 | |
| auth required pam_env.so readenv=1 user_readenv=0 | |
| auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 | |
| @include common-auth | |
| @include common-account | |
| @include common-session-noninteractive |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for sharing this ;)