[sudo-workers] NOPASSWD sudo and PAM
Todd C. Miller
Todd.Miller at sudo.ws
Fri Jan 12 05:33:31 MST 2018
On Fri, 12 Jan 2018 09:22:21 +0100, =?UTF-8?Q?Daniel_Kope=c4=8dek?= wrote:
> is there a difference w.r.t. PAM stack interaction for NOPASSWD vs
> PASSWD sudoers entries?
If NOPASSWD is set or if the time stamp file allows the user to run
commands without authentication then only the PAM session modules
will be called. That means that pam_authenticate() is not called
so the account modules will not be run.
I'm not aware of a way to have the account module called without
using pam_authenticate().
I don't think this is a bug, it is just an effect of disabling
authentication.
- todd
More information about the sudo-workers
mailing list