[sudo-workers] NOPASSWD sudo and PAM
Daniel Kopeček
dkopecek at redhat.com
Fri Jan 12 01:22:21 MST 2018
Hi Todd,
is there a difference w.r.t. PAM stack interaction for NOPASSWD vs
PASSWD sudoers entries?
I was investigating why pam_time isn't working with sudo and found out
that it was because the NOPASSWD flag.
It caused sudo to skip the PAM account phase and therefore skipping the
pam_time module which is used like this:
/etc/pam.d/sudo:
account required pam_time.so
/etc/security/time.conf:
sudo;*;*;!Al0000-24000
That should cause pam_time to deny any attempt but in case of a NOPASSWD
entry it is ignored.
Is this expected behavior or a bug?
Regards,
Daniel
More information about the sudo-workers
mailing list