How to su into Another User Account Without Having to Use Their Password

Tutorial Dec 17, 2020

This tutorial will show how you can su into user accounts without needing to provide a password for it.

By default, only the root user and users capable of using sudo can su to other user accounts without needing to provide the target user account's password. And, failing to provide the right password will result in an "Authentication failure" warning as shown below.

su - userb
Password: 
su: Authentication failure

Pluggable Authentication Modules

PAM, short for Pluggable Authentication Modules is at the core of user authentication in almost all modern Linux distributions. PAM can be configured to deny certain programs the right to authenticate users, to only allow certain users to be authenticated, to warn when certain programs attempt to authenticate, or even to deprive all users of login privileges. So, basically, PAM gives us complete control over how users are authenticated.

To allow usera to su to userb's user account without a password, we must modify the PAM settings of su by editing the /etc/pam.d/su file.

sudo vim /etc/pam.d/su

Add the following highlighted two lines, right after the auth sufficient pam_rootok.so line.

#
# The PAM configuration file for the Shadow `su' service
#

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so
auth       [success=ignore default=1] pam_succeed_if.so user = userb
auth       sufficient pam_succeed_if.so  use_uid user = usera

The first line checks whether the target user is userb. If it is, nothing will happen (success=ignore) and the second line is triggered. If the target is not userb, then the second line will be skipped (default=1), and lines that come after these two gets triggered.

The second line checks whether the user trying to su to userb is usera, if it is, then the system considers the authentication process as successful and returns sufficient, if it is not, nothing happens and lines that come after these two gets triggered.

Now, with the current configuration, we can easily switch to userb from usera with the su command. But we can't su from userb to usera though.

To make the authentication process succeed if the current and target user are in the same group (friends), the lines on our /etc/pam.d/su file will look like this,

#
# The PAM configuration file for the Shadow `su' service
#

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so
auth       [success=ignore default=1] pam_succeed_if.so user ingroup friends
auth       sufficient pam_succeed_if.so  use_uid user ingroup friends

With this, we can use su to switch between usera and userb or any user that is in the friends group without needing to provide their user password.

Tags

Lime

Simple, like quantum physics.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.