Skip to content

Instantly share code, notes, and snippets.

@ciastek
Last active July 28, 2022 13:33
Show Gist options
  • Save ciastek/d496ac00ad68f5367db7 to your computer and use it in GitHub Desktop.
Save ciastek/d496ac00ad68f5367db7 to your computer and use it in GitHub Desktop.
[SOLVED] Why sudo asks for user password in tmux/ssh session?
In console:
root# passwd -d user
In console:
login: user
user$ sudo whoami
root
user$ tmux
In tmux/ssh session:
user$ sudo whoami
[sudo] password for user:
Why sudo asks for user password in tmux/ssh session?
EDIT:
Why? Because it's configured so!
sudo uses PAM. sudo's PAM is configured in /etc/pam.d/sudo, which includes /etc/pam.d/common-auth, which define using pam_unix.so module with nullok_secure argument.
As man pam_unix states:
nullok_secure (...) The nullok_secure argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty.
In console:
user$ tty
/dev/tty1
In tmux/ssh session:
user$ tty
/dev/pts/0
/etc/securetty has /dev/tty1 entry, and has no /dev/pts/0 entry.
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
#%PAM-1.0
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
@dud225
Copy link

dud225 commented Jan 11, 2019

Thanks for sharing this ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment