[sudo-workers] NOPASSWD sudo and PAM

Todd C. Miller Todd.Miller at sudo.ws
Fri Jan 12 05:33:31 MST 2018

On Fri, 12 Jan 2018 09:22:21 +0100, =?UTF-8?Q?Daniel_Kope=c4=8dek?= wrote:

> is there a difference w.r.t. PAM stack interaction for NOPASSWD vs 
> PASSWD sudoers entries?

If NOPASSWD is set or if the time stamp file allows the user to run
commands without authentication then only the PAM session modules
will be called.  That means that pam_authenticate() is not called
so the account modules will not be run.

I'm not aware of a way to have the account module called without
using pam_authenticate().

I don't think this is a bug, it is just an effect of disabling

 - todd

More information about the sudo-workers mailing list