[sudo-workers] NOPASSWD sudo and PAM

Daniel Kopeček dkopecek at redhat.com
Fri Jan 12 01:22:21 MST 2018

Hi Todd,

   is there a difference w.r.t. PAM stack interaction for NOPASSWD vs 
PASSWD sudoers entries?

I was investigating why pam_time isn't working with sudo and found out 
that it was because the NOPASSWD flag.

It caused sudo to skip the PAM account phase and therefore skipping the 
pam_time module which is used like this:


   account required pam_time.so



That should cause pam_time to deny any attempt but in case of a NOPASSWD 
entry it is ignored.

Is this expected behavior or a bug?



More information about the sudo-workers mailing list